Oddbean new post about login | logout Now it's sending random hex encoded binary payloads in the query string. Weird. I've been doing this for a long time and haven't seen this type of traffic lol
they won't give up won't they 🤣 is it really random or something like shellcode maybe?
Some example. I haven't tried to decode it. Cyberchef to the rescue! 147.182.162.162 - - [17/Nov/2024:19:52:30 +0000] "HELP" 400 150 "-" "-" 147.182.162.162 - - [17/Nov/2024:19:52:30 +0000] "\x1B\x84\xD5\xB0]\xF4\xC4\x93\xC50\xC2X\x8C\xDA\xB1\xD7\xAC\xAFn\x1D\xE1\x1E\x1A3*\x85\xB7\x1D'\xB1\xC9k\xBF\xF0\xBC" 400 150 "-" "-" 147.182.162.162 - - [17/Nov/2024:19:52:30 +0000] "batman" 400 150 "-" "-" 147.182.162.162 = prod-boron-nyc1-32.do.binaryedge.ninja
Some of it might be disguised, regex? I see a * and a ' in there. It doesn't decode to anything readable as far as I can tell.
right ! it does look like it has some structure to it, and isn't completely random, but as assembly it's complete nonsense $ rasm2 -a x86 -b 64 -d '1b84d5b05df4c493c530c2588cdab1d7acaf6e1de11e1a332a85b71db1c96bbff0bc' sbb eax, dword [rbp + rdx*8 - 0x3b0ba250] xchg ebx, eax vcmpps xmm11, xmm9, xmmword [rax - 0x74], 0xda mov cl, 0xd7 lodsb al, byte [rsi] ... $ rasm2 -a arm -b 64 -d '1b84d5b05df4c493c530c2588cdab1d7acaf6e1de11e1a332a85b71db1c96bbff0bc' adrp x27, 0xffffffffab081000 extr x29, x2, x4, 0x3d ldr x5, 0xfffffffffff84620 invalid