httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry W Burton" <lwbur...@ncat.edu>
Subject Re: [users@httpd] strange encoded requests coming in to my server - like '
Date Tue, 31 May 2011 14:16:00 GMT
Jason,
Congratulations. You are the likely target of a kiddie script attempting a
buffer overflow or "dot dot" variant. Check your error logs and your access
logs to ensure that the attempts were not successful. You can expect 10-20
of these attacks per day.
Larry

Dr. Larry Burton
Associate Professor
Department of Electronics, Computers, and Information Technology
School of Technology
North Carolina Agricultural and Technical State University

-----Jason Vas Dias <jason.vas.dias@gmail.com> wrote: -----

To: users@httpd.apache.org
From: Jason Vas Dias <jason.vas.dias@gmail.com>
Date: 05/31/2011 10:08AM
Subject: [users@httpd] strange encoded requests coming in to my server  -
like '  "\x80F\x01\x03\x01"   '  ??

Now finally able to host a website on my home static-IP ADSL connection,
using Linux (FC-14) apache httpd-2.2.17-1.fc14.x86_64 ,
with "IP-passthrough" and "Full NAT" enabled on the ADSL router so it
assigns my host its own WAN address ,
I'm seeing these strange entries in the access log :

117.241.90.130 - - [31/May/2011:07:11:21 +0000]
"\xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX\"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3"
 501 354 "-" "-"
180.94.69.130 - - [31/May/2011:07:32:42 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
89.73.88.177 - - [31/May/2011:08:11:26 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
217.117.64.236 - - [31/May/2011:08:34:20 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
195.138.167.98 - - [31/May/2011:08:39:52 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
89.96.190.244 - - [31/May/2011:08:50:51 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
195.138.167.98 - - [31/May/2011:09:20:20 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
217.117.64.236 - - [31/May/2011:10:04:43 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
62.141.88.70 - - [31/May/2011:11:40:13 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
178.187.163.117 - - [31/May/2011:12:03:36 +0000] "\x80F\x01\x03\x01" 501
313 "-" "-"
118.172.80.131 - - [31/May/2011:12:11:57 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
196.44.185.151 - - [31/May/2011:12:25:23 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
62.141.88.90 - - [31/May/2011:12:31:15 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
213.0.79.214 - - [31/May/2011:13:22:46 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
127.0.0.1 - - [31/May/2011:13:58:44 +0000] "GET /manual/ HTTP/1.1" 200 7709
"-" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415
Firefox/4.0b13pre"
127.0.0.1 - - [31/May/2011:13:58:54 +0000] "GET /manual/logs.html HTTP/1.1"
200 33676 "http://127.0.0.1/manual/" "Mozilla/5.0 (X11; Linux x86_64;
rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre"

Can anyone please explain the meaning of these /var/log/httpd/access_log
entries ?

I guess this is just opportunist hosts trying to connect to port 80 / port
443 with a garbage protocol ?
If so, why are log entries made in the access log and not in the error log
?

Or is this some server misconfiguration ?
Or perhaps some ADSL router issue ?

Isn't there a log format that will print the server's socket address
IP:PORT and / or VirtualHost name in the access log ?
Can't seem to find it.

Any suggestions much appreciated,
Regards,
Jason


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to
third parties.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message