httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mitchell Krog Photography <mitchellk...@gmail.com>
Subject RE: [users@httpd] Unknown accepted traffic to my site
Date Thu, 06 Oct 2016 12:02:16 GMT
That could well be the case. I have two trap web sites set up which monitor this stuff and
both the http and https get hit daily, in fact the non https site gets hit much more frequently.
Still interested to know if anyone has any more in depth information on exactly what this
type of exploit is. Can’t for the life of me find the reply I got from Berkeley on it.

KR
Mitchell
https://mitchellkrog.com



From: Joe Muller <jmuller@arccorp.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 05 October 2016 at 6:26:54 PM
To: users@httpd.apache.org <users@httpd.apache.org>, tawasolgo@gmail.com <tawasolgo@gmail.com>
Subject:  RE: [users@httpd] Unknown accepted traffic to my site

From the looks of it I would say it is targeting servers running SSL.  Are you serving up
HTTP or HTTPS ?

 
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It
started a few months back with the Berkeley University Scanner who are researching by sending
out a string like that and then seeing what response they get. It’s to check for some kind
of exploit. Their IP for their scanner is 169.229.3.91 but now in the last 8 weeks I am seeing
the same string coming in from numerous other IP addresses. 

I no longer run Apache after 9 years of using it, Nginx is unaffected completely in any way
by that kind of buffer overflow string but I cannot speak for Apache anymore personally as
I switched over 4 months ago due to numerous issues with Apache I could not handle anymore. 

My one problem is that Apache as per your logs (I had the same in my apache logs) gives a
200 “OK” response whereas Nginx responds to that with a 400 “Bad Response”.

So exactly what that flaw or web server that string is intended to exploit is still unknown
to me but still keeping a close eye on it daily. I personally have felt since I first started
noticing it that it is perhaps targeting Apache but I that is merely a whim and I have nothing
concrete to back that up.

For more info from on the Berkeley scanner project Visit http://secure-web.cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopRLE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtPfvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/http%3A%2F%2F169.229.3.91%2F
for more info. They do respond to emails and if you want them to not scan your server you
just ask. But as I say it’s not just them running that exploit now, it comes from IP’s
all over. 

KR
Mitchell



From: Tawasol Go <tawasolgo@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  [users@httpd] Unknown accepted traffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200
48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
200 48605


Please advise.

Thanks,
Karim

Mime
View raw message