Writing

Software, technology, sysadmin war stories, and more. Feed
Friday, October 7, 2016

1213486160 has a friend: 1195725856

Back in February, I wrote about finding a ridiculous number being passed to malloc. That number was 1213486160, and it turned out to be "HTTP" on the wire.

If you search the web for that, besides finding my original post, you'll find lots of people who have had stuff break and can't quite figure out why.

I'm making this mini-post tonight to do a public service. There's another number you'll probably see a fair bit if you work in the same space that has 1213486160 show up in it. That number is 1195725856.

>>> hex(1195725856)
'0x47455420'

See those 4x and 5x hex values with a 20 on the end? That should get you to raise an eyebrow. What does it say? Well, it's the flip side of the whole "HTTP" situation.

>>> chr(0x47), chr(0x45), chr(0x54), chr(0x20)
('G', 'E', 'T', ' ')

Yep, "GET ", as in "GET / HTTP/1.0" or similar.

In other words, if you see 1195725856 showing up in your logs, you're probably getting connections from things speaking HTTP at you: actual web browsers, security scanners, people running curl and wget, elite hax0rs trying to own you, and so on.

This one goes out to my friends at work who found another oddity in a production system and unraveled the significance. Welcome to the funny number spotting club!