httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Muller <>
Subject RE: [users@httpd] Unknown accepted traffic to my site
Date Wed, 05 Oct 2016 16:26:54 GMT
>From the looks of it I would say it is targeting servers running SSL.  Are you serving
up HTTP or HTTPS ?

From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go;
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It
started a few months back with the Berkeley University Scanner who are researching by sending
out a string like that and then seeing what response they get. It’s to check for some kind
of exploit. Their IP for their scanner is but now in the last 8 weeks I am seeing
the same string coming in from numerous other IP addresses.

I no longer run Apache after 9 years of using it, Nginx is unaffected completely in any way
by that kind of buffer overflow string but I cannot speak for Apache anymore personally as
I switched over 4 months ago due to numerous issues with Apache I could not handle anymore.

My one problem is that Apache as per your logs (I had the same in my apache logs) gives a
200 “OK” response whereas Nginx responds to that with a 400 “Bad Response”.

So exactly what that flaw or web server that string is intended to exploit is still unknown
to me but still keeping a close eye on it daily. I personally have felt since I first started
noticing it that it is perhaps targeting Apache but I that is merely a whim and I have nothing
concrete to back that up.

For more info from on the Berkeley scanner project Visit
for more info. They do respond to emails and if you want them to not scan your server you
just ask. But as I say it’s not just them running that exploit now, it comes from IP’s
all over.


From: Tawasol Go <><>
Reply: <><>
Date: 05 October 2016 at 12:01:58 PM
To: <><>
Subject:  [users@httpd] Unknown accepted traffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my site.

IP - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200
48605 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
200 48605

Please advise.


View raw message