httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Strange access.log entry...
Date Fri, 08 Jul 2016 19:56:54 GMT
I think I can shed a little light on this.   I believe it has something to
do with exploits / vulnerabilities.   I'm not sure what the hex values are,
but I'm guessing that's part of the exploit.   I've tried searching for it
but couldn't find anything.   Maybe the query is confusing the search
engines?

Anyway, the ip address....if you research that IP address, you see that it
resolves to: researchscan1.eecs.berkeley.edu

If you go there, you see the message:

Hello,

This is a research scanning machine from the University of California at
Berkeley. This machine regularly conducts scans of the entire Internet so
you may have been scanned as part of an ongoing research project.

If you have been or are currently being scanned and would like to opt out,
please email cesr-scanning@lists.eecs.berkeley.edu with the IP ranges you
would like to exclude in CIDR format and we will respond immediately.


If you search google for the IP address, you see a lot of people saying
this IP address tried hacking into their site or scanned it or something
along those lines.   If I were to take a guess, just a guess, I'd guess
that maybe they're conducting a large scan of the internet, trying to find
servers that are exploitable for research purposes.   You might be able to
find more information or someone more knowledgeable might be able to
provide better advice on what to do.

I've also googled cesr and found this:


Center for Evidence-based Security Research (CESR)
The Center for Evidence-based Security Research is an ongoing collaboration
with researchers at the University of California, San Diego, seeking to
understand modern Internet threats and develop effective countermeasures
using analysis rooted in empirical observation.


I found that here:

 https://www.eecs.berkeley.edu/Research/Areas/Centers/


To me, it seems like it's a valid research and they're not actually trying
to do bad stuff, they're just looking for exploitable servers and making a
list of the issues they found.   I'd be more interested in knowing if they
actually got in.   If they found something, it's just a matter of time
before someone who really wants to do bad stuff finds the same exploit and
takes advantage of it.

I hope this helps.

Sincerely,
Ken

On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books <info@redtailbooks.com>
wrote:

> Saw this in my access.log this morning...
>
> 169.229.3.91 - - [08/Jul/2016:05:44:24 -0700] "^\x05A\xea\xa1\xfa\xbe\x15"
> 200 11434 "-" "-"
> Can someone more knowledgeable explain what the "request" was and why it
> was successful? And what 11k of data did apache serve?
>
> Thanks
> dave
>

Mime
View raw message