InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Mysterious ABE requests on my server?!

https://forums.informaction.com/viewtopic.php?t=5973

Page 1 of 1

Mysterious ABE requests on my server?!

Posted: Thu Mar 10, 2011 7:43 pm
by Fritz Elfert
Hi all,
I'm running an apache web server which has mod_security enabled. In the security logs, I recently noticed
recurring requests which get denied (using a 400) by mod_security and which (according to the UA in the header)
appear to come from hosts running some ABE feature. Here is a sample Request:

Code: Select all

GET / HTTP/1.0
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
Pragma: no-cache
Cache-Control: no-cache, max-age=259200
Connection: keep-alive
Noticeable anomalies are:
  • The IP in the Host header is usually identical to the request's origin e.g: NOT my server's IP.
  • Requests don't contain an Accept header.
  • The requests appear to increase at every full hour.
So, here are my question:
Are these really from ABE?
If yes - assuming some ABE thingy running wild - Can I fabricate some reply which stops them quering my server?

Thanks in advance for any hints.
-Fritz

Re: Mysterious ABE requests on my server?!

Posted: Tue Mar 22, 2011 3:17 pm
by Fritz Elfert
Anyone?

Re: Mysterious ABE requests on my server?!

Posted: Tue Mar 22, 2011 10:27 pm
by dhouwn
Fritz Elfert wrote:Are these really from ABE?
Yes.

Code: Select all

User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
See http://noscript.net/abe/wan.
Fritz Elfert wrote:If yes - assuming some ABE thingy running wild - Can I fabricate some reply which stops them quering my server?
You might want to deactivate this functionality since apparently in your case it is not a router interface replying when you access your external IP on port 80. This is what this feature is meant to protect.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited