httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Muller <jmul...@ARCcorp.com>
Subject RE: [users@httpd] Unknown accepted traffic to my site
Date Wed, 05 Oct 2016 16:26:54 GMT
>From the looks of it I would say it is targeting servers running SSL.  Are you serving
up HTTP or HTTPS ?


________________________________
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It
started a few months back with the Berkeley University Scanner who are researching by sending
out a string like that and then seeing what response they get. It’s to check for some kind
of exploit. Their IP for their scanner is 169.229.3.91 but now in the last 8 weeks I am seeing
the same string coming in from numerous other IP addresses.

I no longer run Apache after 9 years of using it, Nginx is unaffected completely in any way
by that kind of buffer overflow string but I cannot speak for Apache anymore personally as
I switched over 4 months ago due to numerous issues with Apache I could not handle anymore.

My one problem is that Apache as per your logs (I had the same in my apache logs) gives a
200 “OK” response whereas Nginx responds to that with a 400 “Bad Response”.

So exactly what that flaw or web server that string is intended to exploit is still unknown
to me but still keeping a close eye on it daily. I personally have felt since I first started
noticing it that it is perhaps targeting Apache but I that is merely a whim and I have nothing
concrete to back that up.

For more info from on the Berkeley scanner project Visit http://secure-web.cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopRLE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtPfvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/http%3A%2F%2F169.229.3.91%2F
for more info. They do respond to emails and if you want them to not scan your server you
just ask. But as I say it’s not just them running that exploit now, it comes from IP’s
all over.

KR
Mitchell



From: Tawasol Go <tawasolgo@gmail.com><mailto:tawasolgo@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org><mailto:users@httpd.apache.org>
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org <users@httpd.apache.org><mailto:users@httpd.apache.org>
Subject:  [users@httpd] Unknown accepted traffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200
48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
200 48605


Please advise.

Thanks,
Karim

Mime
View raw message