httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Canavan <rainer.cana...@sevenval.com>
Subject Re: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 12:27:57 GMT
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@arccorp.com> wrote:
> From the looks of it I would say it is targeting servers running SSL.  Are
> you serving up HTTP or HTTPS ?

I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday about this:

https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/

if I try `openssl s_client -connect localhost:14020`, I get the below
entry in my access.log,
which matches the description in the diary:

127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
"\x16\x03\x01\x01,\x01" 400 226 "-" "-"

this, however, is something completely different. I'd also guess it's some kind
of vulnerability scan:

> IP
> 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
> "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
> 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
> "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
> 200 48605

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message