Difference between GET and HEAD in hacking attempts

3 replies [Last post]
amenex
Offline
Joined: 01/03/2015

Going through my website's IP access logs, I see many of the following two entries:

> GET /wp-login.php [and many legitimate downloads as well, of course] versus:

> HEAD /wp-login.php or POST /wp-admin/admin-ajax.php

Anybody trying these particular examples on my website is up to no good, 'cuz
I don't use WordPress and have no WordPress account ...

But: what is a "HEAD" request ?

George Langford

pengnuin
Offline
Joined: 08/17/2017

Hi amenex.
I'd agree that those requests may have been executed by someone who's "up to no good", it's likely though that someone just set a vulnerability scanner on you or some spider was doing whatever a spiderpig... uh.. spider does.

To get to your main question: An HTTP HEAD request isn't often used. It's a way to ask a webserver to send the same information that a GET request would yield, without the message body. Only the HEAD - makes sense, right? It can be useful to find out about certain things, saves traffic and keeps bandwidth usage comparatively low and pretty much retrieves metadata from a webserver. Some information you'll get is whether the website is up, the content length or when the website has last been modified.

- PenGNUin

amenex
Offline
Joined: 01/03/2015

PenGNUin ventured:
[QUOTE] To get to your main question: An HTTP HEAD request isn't often used. It's a way to ask a webserver to send the same information that a GET request would yield, without the message body. Only the HEAD - makes sense, right? It can be useful to find out about certain things, saves traffic and keeps bandwidth usage comparatively low and pretty much retrieves metadata from a webserver. Some information you'll get is whether the website is up, the content length or when the website has last been modified.[/QUOTE]

After going through over 90,000 lines of data from the website's log (Aug.31 to Sep.14) I see somewhat of a pattern (beyond the WordPress nuisance) of about fifty random IP addresses (half on AmazonAWS servers ... ?) and then twenty specific Russian IP addresses, each one using half a dozen to a couple dozen of a family of Russian and Ukrainian domains to make HEAD requests. There are a number of servers in common among these domains, so they seem to have a similar property or service present among them (unknown to me) that these twenty IP addresses are utilizing to make their HEAD / HTTP1.1 requests. Some of the Russian IP addresses have no associated domains (or fictitious domains like "example.com") discernible with nslookup, so they are probably robots.

I have not been able to reproduce any HEAD / HTTP1.1 requests myself to see what exactly is returned by my website's server.

amenex
Offline
Joined: 01/03/2015

Answering my own question:

> curl -I MyDomain.com
> HTTP/1.1 406 Not Acceptable
> Date: Sun, 24 Sep 2017 15:20:34 GMT
> Server: Apache
> Content-Type: text/html; charset=iso-8859-1

On further investigation, I find that there is a workaround:

> curl -I --user-agent Mozilla/5.0 MyDomain.com
> HTTP/1.1 200 OK
> Date: Mon, 25 Sep 2017 13:42:36 GMT
> Server: Apache
> Last-Modified: Fri, 30 Dec 2016 17:17:22 GMT
> Accept-Ranges: bytes
> Content-Length: [Redacted]
> Content-Type: text/html

This workaround even obtains results on most of the domains that the twenty Russian IP addy's are using to process their HEAD requests. The workaround is so easy to identify from Internet searches that I wonder why the Russian IP addy's aren't using it. Maybe all they want to know is whether MyDomain.com is still there ... But HEAD obtains much more information than does curl -I, even with the --user-agent Mozilla/5.0 workaround ...

What twenty Russian IP addresses (in a two-week period) are receiving in response to their HEAD / HTTP/1.1 requests sent through a family of Russian and Ukranian domains are just recorded as "-" in my log, not "406" and that is perplexing.

George Langford