Hi Hank, On Sun, Jun 27, 2010 at 02:12:35PM -0700, Hank A. Paulson wrote: > I got this error hit via the haproxy socket, I noticed that there are > a few hits when searching for it, all related to corrupt headers with > lighttpd and people seem to be assuming it is lighttpd's fault but in > the case I received, it is clear that there are some junk characters > at the beginning of the request. (Perhaps lighttpd needs an option to > print errors with hex encoding in order to see the characters causing > the problems there) > > There is also this proxy blocking module for nginx that lists it when > searching for signs of a proxy: > http://www.linuxboy.net/nginx/ngx_http_proxyblock_module.c.txt > > I am wondering if this is some kind of web "fuzzer" software or if it > is just poorly coded proxy software or if other people have seen > problems with requests with a MT-Proxy-ID. (All the listings that I > have seen, locally and on the web, that include the MT-Proxy-ID > header have the same 1804289383 value.) > > Thanks for any insights.
Don't you think this could simply be some discovery attack or bypass attempts ? The strangest part is the \x00, which, if intentionally left here, may be present to try to fool some HTTP parsers. Perhaps it targets a very specific product and was just blocked here. Anyway, if it's normally encountered with lighttpd, you may want to share that with the lighttpd guys so that they for once get a full dump of the abnormal request. > [04/Jun/2010:01:40:10.550] frontend abc (#1): invalid request > src w.x.y.z, session #25252051, backend <NONE> (#-1), server <NONE> (#-1) > request length 327 bytes, error at position 0: > > 00000 \x04\x02\x00POST /a/b/c/d HTTP/1.0\r\n > 00054 User-Agent: Mozilla/5.0 (compatible; MSIE 6.0;)\r\n > 00118 Host: foo.bar\r\n > 00137 Accept: */*\r\n > 00150 Content-Length: 8\r\n > 00169 Content-Type: application/x-www-form-urlencoded\r\n > 00218 MT-Proxy-ID: 1804289383\r\n > 00243 X-Forwarded-For: x.y.z.w\r\n > 00276 Connection: Keep-Alive\r\n > 00300 Keep-Alive: 300\r\n > 00317 \r\n > 00319 xa=23123 Best regards, Willy
