httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tawasol Go <tawaso...@gmail.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 21:16:47 GMT
Hits comes from all over the world, without DNS entry found.
Hits come from more than 500 IPs from Jan. 2016.

Other samples: with codes like 400, 408 and 404
0.0.0.0 - - [06/Oct/2016:11:12:08 +0300]
"\x8bL\xb0Ri\x8f\x03\xb5\x1f)wI\x92\xfc\xa8\x97B\xcbH4\xaa#\xc1\x17'\xa6\xec3#\t\xed\xc4}[\x14w\xef\xcd\xe8"
400 226
0.0.0.0 - - [06/Oct/2016:10:54:47 +0300]
"\xae\x95\\_t\xfc\v\x94\xcbU\x143\xdd\xac$\x92\x1e\xb2!\x8d\xb3\xfd\xf4\xdf:\xa1
\x11u\xc89v" 408 221

where I blocked the IPs that send such traffic in-case they are trying to
inject something to the server.

On Thu, Oct 6, 2016 at 11:08 PM, Anthony Biacco <abiacco@handll.com> wrote:

>
>
> On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschivago@gmail.com>
> wrote:
>
>>
>> There's away to do a reverse IP lookup on the IP address and see if
>> there's a DNS entry for it.   That's how I was able to successfully figure
>> out who the senders were (Berkeley) originally.   I used dig I believe.   I
>> don't have access to my Linux box right now, otherwise I'd check to see if
>> the IP addresses are actually from Berkeley.   There's always a chance that
>> they're using more than one server / IP now to conduct the scanning.   I
>> believe they were originally trying to scan the whole internet.
>>
>>
> based on the IP of 169.229.3.91 given by Mitchell:
>
> 91.3.229.169.in-addr.arpa. 9787 IN      PTR
> researchscan1.EECS.Berkeley.EDU.
>
> University of California - Office of the President UCSD-NET-169-228
> (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
> University of California at Berkeley ISTDATA (NET-169-229-0-0-2)
> 169.229.0.0 - 169.229.255.255
>
> -Tony
>
>
>
> They had said it's a very specific type of malware that only affects IIS
>> to their knowledge.   If you're not running a Windows server running IIS,
>> you should be good to go.
>>
>> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
>> rainer.canavan@sevenval.com> wrote:
>>
>>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com> wrote:
>>> > From the looks of it I would say it is targeting servers running SSL.
>>> Are
>>> > you serving up HTTP or HTTPS ?
>>>
>>> I don't think that that is valid SSL, unless your httpd discards the
>>> first few bytes.
>>> There was a SANS handler diary entry just yesterday about this:
>>>
>>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>>> P+Servers/21551/
>>>
>>> if I try `openssl s_client -connect localhost:14020`, I get the below
>>> entry in my access.log,
>>> which matches the description in the diary:
>>>
>>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>>
>>> this, however, is something completely different. I'd also guess it's
>>> some kind
>>> of vulnerability scan:
>>>
>>> > IP
>>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xd
>>> a\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
>>> > 200 48605
>>>
>>> Rainer
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>

Mime
View raw message