On January 30th I saw the single suricata alert “ET SCAN Zmap User-Agent (Inbound)”. This is a low severity alert and the target was my web server. Let’s see what that’s all about, shall we?
The network data is:
GET / HTTP/1.1
Host: [REDACTED WAN IP]:[REDACTED CUSTOM PORT]
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: /
Accept-Encoding: gzip
Not too much here to go on. The source IP address is 198.199.117.72 (San Francisco, ISP DigitalOcean, LLC). I logged into the web server to see what the Apache log (access.log) says:
198.199.117.72 [30/Jan/2023:01:23:43 -0500] "GET / HTTP/1.1" 200 13295 "-" "Mozilla/5.0 zgrab/0.x"
Still, not a whole lot more information, except that the status code was 200 (HTTP_OK), which means the web server granted the request. Also, the byte count was about 13k. I wonder what they got. Before I could fully investigate, IP 2.59.222.44 (Kyiv, Ukraine, ISP ONEHOSTPLANET) performed the same scan. The byte count was fifty bytes less, but otherwise identical.
I first noticed this last September (IP 174.138.51.196, Clifton, NJ, ISP DigitalOcean, LLC) and saw the following additional information in the Apache logs:
"\x16\x03\x01" 400 493
"\x16\x03\x01" 400 493
"GET / HTTP/1.1" 200 14659
Searching back through prior logs I noticed very similar log entries going back to the beginning. So, what is this “\x16\x03\x01” nonsense, anyhow?
Turns out, the client is trying to perform an HTTPS handshake. My web server has no certificate (my ISP blocks ports 80 and 443), so a certificate is pretty much out of the question. It’s a plain text website over a custom port. It tries once or twice, then it issues the GET method. I’m guessing this is more or less normal. So, what do they want? What do they get?
Good question. The answer might lie with zgrab. According to its github page, “ZGrab is a fast, modular application-layer network scanner designed for completing large Internet-wide surveys” and written in Go. It is part of the ZMap project, a collection of internet scanning tools. I am sure it is grabbing only the banners, but I haven’t investigated enough. Either way, it appears to be harmless enough. I recently purchased a laptop for the sole purpose of doing this sort of testing. Perhaps I can mod the Apache config to be slightly less accommodating with information. I will update in a future post.
But the traffic isn’t very uncommon. In fact I get a hit almost every day. I’ve included log extracts at the bottom. I’ve omitted the byte count and user agent (it’s always “Mozilla/5.0 zgrab/0.x”) for brevity’s sake. For now, I don’t really know what information they get, but I hope they enjoyed what they found.
143.110.186.237 [26/Jan/2023:00:36:52] "GET /aaa9 HTTP/1.1" 404
143.110.186.237 [26/Jan/2023:00:36:55] "GET /aab8 HTTP/1.1" 404
198.199.101.225 [26/Jan/2023:01:18:40] "GET / HTTP/1.1" 200
161.35.39.7 [26/Jan/2023:17:16:43] "GET /aaa9 HTTP/1.1" 404
161.35.39.7 [26/Jan/2023:17:16:45] "GET /aab8 HTTP/1.1" 404
159.203.224.7 [27/Jan/2023:01:20:53] "GET / HTTP/1.1" 200
80.66.77.235 [27/Jan/2023:12:29:26] "GET /../../mnt/mtd/Config/Account1 HTTP/1.1" 400
107.170.240.10 [27/Jan/2023:20:10:41] "GET /druid/index.html HTTP/1.1" 404
198.199.97.61 [28/Jan/2023:01:20:47] "GET / HTTP/1.1" 200
69.164.217.74 [28/Jan/2023:16:02:27] "GET / HTTP/1.1" 301
107.170.247.18 [29/Jan/2023:01:20:53] "GET / HTTP/1.1" 200
198.199.117.72 [30/Jan/2023:01:23:43] "GET / HTTP/1.1" 200
2.59.222.44 [30/Jan/2023:16:12:47] "GET / HTTP/1.1" 200
198.199.108.106 [30/Jan/2023:20:12:12] "GET /druid/index.html HTTP/1.1" 404
2.59.222.44 [30/Jan/2023:21:54:01] "GET / HTTP/1.1" 200
104.131.144.20 [31/Jan/2023:01:27:13] "GET / HTTP/1.1" 200
162.243.132.15 [01/Feb/2023:01:29:23] "GET / HTTP/1.1" 200
192.241.201.42 [02/Feb/2023:01:27:57] "GET / HTTP/1.1" 200
192.241.192.26 [02/Feb/2023:20:12:37] "GET /druid/index.html HTTP/1.1" 404
192.241.236.20 [03/Feb/2023:01:29:05] "GET / HTTP/1.1" 200
162.243.141.19 [04/Feb/2023:01:29:43 -0500] "GET / HTTP/1.1" 200
192.241.232.27 [05/Feb/2023:21:58:24 -0500] "GET /druid/index.html HTTP/1.1" 404
92.241.192.34 [07/Feb/2023:01:38:32 -0500] "GET / HTTP/1.1" 200
198.199.96.218 [08/Feb/2023:01:43:11 -0500] "GET / HTTP/1.1" 200
143.110.222.149 [08/Feb/2023:05:15:58 -0500] "GET /aaa9 HTTP/1.1" 404
143.110.222.149 [08/Feb/2023:05:16:00 -0500] "GET /aab8 HTTP/1.1" 404
178.62.216.118 [08/Feb/2023:14:57:41 -0500] "GET /aaa9 HTTP/1.1" 404
178.62.216.118 [08/Feb/2023:14:57:44 -0500] "GET /aab8 HTTP/1.1" 404
192.241.216.12 [08/Feb/2023:21:56:12 -0500] "GET /druid/index.html HTTP/1.1" 404
162.243.130.21 [09/Feb/2023:01:39:22 -0500] "GET / HTTP/1.1" 200
107.170.232.18 [10/Feb/2023:01:40:24 -0500] "GET / HTTP/1.1" 200
167.99.13.19 [10/Feb/2023:02:10:19 -0500] "GET /aaa9 HTTP/1.1" 404
167.99.13.19 [10/Feb/2023:02:10:21 -0500] "GET /aab8 HTTP/1.1" 404
2.59.222.44 [12/Feb/2023:16:02:48 -0500] "GET / HTTP/1.1" 200