Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 52928 invoked from network); 15 Mar 2010 16:29:22 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 15 Mar 2010 16:29:22 -0000 Received: (qmail 79102 invoked by uid 500); 15 Mar 2010 16:28:32 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 79083 invoked by uid 500); 15 Mar 2010 16:28:32 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 79075 invoked by uid 99); 15 Mar 2010 16:28:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Mar 2010 16:28:32 +0000 X-ASF-Spam-Status: No, hits=1.8 required=10.0 tests=MISSING_MIMEOLE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [155.247.27.102] (HELO concept.temple.edu) (155.247.27.102) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Mar 2010 16:28:26 +0000 Received: from concept.temple.edu (localhost [127.0.0.1]) by concept.temple.edu (8.14.3/8.14.3) with ESMTP id o2FGS6QB008326 for ; Mon, 15 Mar 2010 12:28:06 -0400 (EDT) Received: from localhost (sbirl@localhost) by concept.temple.edu (8.14.3/8.14.3/Submit) with ESMTP id o2FGS6m7008323 for ; Mon, 15 Mar 2010 12:28:06 -0400 (EDT) Date: Mon, 15 Mar 2010 12:28:06 -0400 (EDT) From: "S.A. Birl" Reply-To: users@httpd.apache.org To: users@httpd.apache.org In-Reply-To: <4B9E3567.4070101@cnm.de> Message-ID: References: <4B9E3567.4070101@cnm.de> X-Disclaimer: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. X-Reminder: Priority=Urgent; X-Priority=Highest; Importance=High-Normal-Low Importance: Normal Sensitivity: Normal X-No-Archive: Yes Organization: Temple University X-MSMail-Priority: Normal X-CONCEPT-TEMPLE-EDU: sbirl at concept dot temple dot edu composed this message. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [users@httpd] Strange logfile entries: 8\r\xff On Mar 15, 2010, Marten Lehmann (nospam-lehmann@cnm.de.ns) typed: lehman:> Hello, lehman:> lehman:> some of our users noticed, that lines like this appear in their lehman:> logfiles: lehman:> lehman:> 58.187.78.42 - - [14/Mar/2010:04:38:53 +0100] "8\r\xff" 400 226 "-" lehman:> "-" lehman:> lehman:> This has been noticed be different customers on different servers. I lehman:> know that the Referer and Useragent may be empty (shown by the dash), lehman:> but URI part should at least start with GET or POST. lehman:> lehman:> I found nothing with Google on "8\r\xff" but it seems that something lehman:> is talking to our servers with invalid HTTP. Is "8\r\xff" used to lehman:> exploit a webserver, but it simply didn't work out on our servers? Has lehman:> anyone else noticed such entries in the logfiles? It's been a while since Ive seen such malformed requests, but yeah, usually a crack attempt. Thanks S.A. Birl http://concept.temple.edu/ Please do not CC me responses to my own posts. I'll read the responses from the list. Apache archives http://mail-archives.apache.org/mod_mbox/httpd-users/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org