httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Biacco <abia...@handll.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 20:08:26 GMT
On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschivago@gmail.com>
wrote:

>
> There's away to do a reverse IP lookup on the IP address and see if
> there's a DNS entry for it.   That's how I was able to successfully figure
> out who the senders were (Berkeley) originally.   I used dig I believe.   I
> don't have access to my Linux box right now, otherwise I'd check to see if
> the IP addresses are actually from Berkeley.   There's always a chance that
> they're using more than one server / IP now to conduct the scanning.   I
> believe they were originally trying to scan the whole internet.
>
>
based on the IP of 169.229.3.91 given by Mitchell:

91.3.229.169.in-addr.arpa. 9787 IN      PTR
researchscan1.EECS.Berkeley.EDU.

University of California - Office of the President UCSD-NET-169-228
(NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255
University of California at Berkeley ISTDATA (NET-169-229-0-0-2)
169.229.0.0 - 169.229.255.255

-Tony



They had said it's a very specific type of malware that only affects IIS to
> their knowledge.   If you're not running a Windows server running IIS, you
> should be good to go.
>
> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <
> rainer.canavan@sevenval.com> wrote:
>
>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com> wrote:
>> > From the looks of it I would say it is targeting servers running SSL.
>> Are
>> > you serving up HTTP or HTTPS ?
>>
>> I don't think that that is valid SSL, unless your httpd discards the
>> first few bytes.
>> There was a SANS handler diary entry just yesterday about this:
>>
>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT
>> P+Servers/21551/
>>
>> if I try `openssl s_client -connect localhost:14020`, I get the below
>> entry in my access.log,
>> which matches the description in the diary:
>>
>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-"
>>
>> this, however, is something completely different. I'd also guess it's
>> some kind
>> of vulnerability scan:
>>
>> > IP
>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\
>> xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
>> > 200 48605
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message