What was the aim of this invalid HTTP request that tells a story about goats in the request URI?
I don't know what the REDACTED
part consisted of, but I can tell you that the bytes \xf0\x9f\x90\x90
correspond to a picture of a goat in UTF-8:
Here it is:
Note: On a whim, I also looked up the Intel opcodes corresponding to these byte values. They don't do anything interesting at all — 0x90 is NOP (does nothing), 0x9f is LAHF (load FLAGS into AH register), and 0xf0 is LOCK (which will raise an illegal instruction error when followed by LAHF).
This looks similar to the poetry that was being sent out at the Chaos Communications Congress in Hamburg. In particular, it starts using the HEAD as part of the poetry (the example below uses DELETE to start the line).
https://nakedsecurity.sophos.com/2016/01/07/millions-of-servers-infected-with-poem-inviting-them-to-jump-in-the-river/
Just found the same request in my access.log with this url :
http://massgoat4u.megabrutal.com/
What's this?
Being inspired by #masspoem4u, I try to repeat what they did: to distribute a unique HTTP request to all IPv4 addresses around the globe.
How did you do this?
I use a slightly modified version of Robert Graham's masscan, just like the masspoem4u guys did at CCC. However, I don't have such a fast network as theirs, so my scan will approximately take a week to go through. You can find an interesting article of masscan here.
Does it do any harm?
Of course not. It is totally harmless. The only thing you should perceive is the message in your HTTP log. Since one IP gets only one request, and the order of probes are randomized, it does not drain your resources and does not overload your network.
Didn't notice anything else unusual except a request from another IP adress containing other UTF-8 bytes but it may be unrelated.
[XXX.XXX.XXX.XXX] - - [DATE] "\xad\x17\x15\xd2\xf0\xa2y\xec\xc9\xe6\xe2\xe2\xd1\"\xb1\"\x88\x82Ojo\xb8Q\xa0r\xd5\xfe\xe5E\x9a\x01\xfcf\x18\xff\x9d\x05\x1dh\xa1\xc61\xea;\x04F\x8b\xb1SgEhGk\x86&\x93b<O" 200 11899 "-" "-"