httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "plot.lost" <plot.l...@gmail.com>
Subject [users@httpd] Do these log entries show someone trying to hack in?
Date Fri, 24 May 2013 13:26:40 GMT
I've been getting from error log entries about SNI and hostname are 
different, and in these cases the SNI used seems to be the correct 
hostname but with some extra data on the end, for example:

     Hostname www.example.com\xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80 
provided via SNI and hostname www.example.com provided via HTTP are 
different

In this case the extra data was \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

but there have been a number of different sets of data, such as:

     A\xe8\x84\xb4A\xc9\xa0\xe0\xa8\xbe\xed\x9c\xbc\xd4\x80

     \xdd\x98\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

     \xdd\x9a\xe2\xa4\x90\xe0\xaf\xb0\xcb\xb0

     \xdd\xa0\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

     \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

     \xe0\xb1\x82\xe6\xbb\x98\xdd\x99\xc4\x90

Does anyone have any idea as to what this might be for? Are there any 
known/possible exploits in Apache that this might be trying to use?

Server Version: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1a 
running on Ubuntu

Thanks in advance for any hints/advice.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message