Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B9F96200B99 for ; Wed, 5 Oct 2016 18:27:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B877E160ADE; Wed, 5 Oct 2016 16:27:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CD831160AC9 for ; Wed, 5 Oct 2016 18:27:13 +0200 (CEST) Received: (qmail 43585 invoked by uid 500); 5 Oct 2016 16:27:08 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 43512 invoked by uid 99); 5 Oct 2016 16:27:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Oct 2016 16:27:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 104C31806F8 for ; Wed, 5 Oct 2016 16:27:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1 X-Spam-Level: X-Spam-Status: No, score=-1 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.999, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 18vWUmkSpMwU for ; Wed, 5 Oct 2016 16:27:04 +0000 (UTC) Received: from esa01.arccorp.com (arcwebmail.arccorp.com [12.181.252.24]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 011AC5FB38 for ; Wed, 5 Oct 2016 16:27:02 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,449,1473134400"; d="scan'208,217,223";a="20736986" Received: from dmz-vip.arcdmz.net (HELO smtp.arcds.com) ([172.18.172.1]) by esa01-out.arccorp.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Oct 2016 12:26:55 -0400 Received: from SDF-EXDB02.arcds.com ([169.254.2.178]) by sdf-exdb01.arcds.com ([10.128.132.83]) with mapi id 14.03.0301.000; Wed, 5 Oct 2016 12:26:55 -0400 From: Joe Muller To: "users@httpd.apache.org" , "tawasolgo@gmail.com" Thread-Topic: [users@httpd] Unknown accepted traffic to my site Thread-Index: AQHSHwKZucNREEOCB0CQ5C59QLQ0+KCaDIxN Date: Wed, 5 Oct 2016 16:26:54 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.128.132.99] Content-Type: multipart/alternative; boundary="_000_BF16AA6C527CC4479B32F99C467311F01BDE2D95SDFEXDB02arcdsc_" MIME-Version: 1.0 Subject: RE: [users@httpd] Unknown accepted traffic to my site archived-at: Wed, 05 Oct 2016 16:27:14 -0000 --_000_BF16AA6C527CC4479B32F99C467311F01BDE2D95SDFEXDB02arcdsc_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable From the looks of it I would say it is targeting servers running SSL. Are = you serving up HTTP or HTTPS ? ________________________________ From: Mitchell Krog Photography Sent: Wednesday, October 05, 2016 8:18:38 AM To: Tawasol Go; users@httpd.apache.org Subject: Re: [users@httpd] Unknown accepted traffic to my site It=92s some kind of buffer overflow attempt. I=92ve been seeing this in log= s for months. It started a few months back with the Berkeley University Sca= nner who are researching by sending out a string like that and then seeing = what response they get. It=92s to check for some kind of exploit. Their IP = for their scanner is 169.229.3.91 but now in the last 8 weeks I am seeing t= he same string coming in from numerous other IP addresses. I no longer run Apache after 9 years of using it, Nginx is unaffected compl= etely in any way by that kind of buffer overflow string but I cannot speak = for Apache anymore personally as I switched over 4 months ago due to numero= us issues with Apache I could not handle anymore. My one problem is that Apache as per your logs (I had the same in my apache= logs) gives a 200 =93OK=94 response whereas Nginx responds to that with a = 400 =93Bad Response=94. So exactly what that flaw or web server that string is intended to exploit = is still unknown to me but still keeping a close eye on it daily. I persona= lly have felt since I first started noticing it that it is perhaps targetin= g Apache but I that is merely a whim and I have nothing concrete to back th= at up. For more info from on the Berkeley scanner project Visit http://secure-web.= cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_= jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopR= LE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtP= fvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx= 6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/= http%3A%2F%2F169.229.3.91%2F for more info. They do respond to emails and i= f you want them to not scan your server you just ask. But as I say it=92s n= ot just them running that exploit now, it comes from IP=92s all over. KR Mitchell From: Tawasol Go Reply: users@httpd.apache.org Date: 05 October 2016 at 12:01:58 PM To: users@httpd.apache.org Subject: [users@httpd] Unknown accepted traffic to my site Hello Guys, Need to Understand this kind of traffic where I noticed many of them hittin= g my site. IP 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6= k\xbb\xe5L" 200 48605 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87= \xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf= 5\xfc\xc5\"\xed\xa3u" 200 48605 Please advise. Thanks, Karim --_000_BF16AA6C527CC4479B32F99C467311F01BDE2D95SDFEXDB02arcdsc_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable From the looks of it I would say it is targeting servers running SSL.  = ;Are you serving up HTTP or HTTPS ?

 
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It=92s some kind of buffer overflow attempt. I=92ve been seeing this in log= s for months. It started a few months back with the Berkeley University Sca= nner who are researching by sending out a string like that and then seeing = what response they get. It=92s to check for some kind of exploit. Their IP for their scanner is 169.229.3.91 but n= ow in the last 8 weeks I am seeing the same string coming in from numerous = other IP addresses. 

I no longer run Apache after 9 years of using it, Nginx is unaffected compl= etely in any way by that kind of buffer overflow string but I cannot speak = for Apache anymore personally as I switched over 4 months ago due to numero= us issues with Apache I could not handle anymore. 

My one problem is that Apache as per your logs (I had the same in my apache= logs) gives a 200 =93OK=94 response whereas Nginx responds to that with a = 400 =93Bad Response=94.

So exactly what that flaw or web server that string is intended to exploit = is still unknown to me but still keeping a close eye on it daily. I persona= lly have felt since I first started noticing it that it is perhaps targetin= g Apache but I that is merely a whim and I have nothing concrete to back that up.

For more info from on the Berkeley scanner project Visit http://secure-web.= cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_= jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopR= LE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtP= fvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx= 6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/= http%3A%2F%2F169.229.3.91%2F for more info. They do respond to emails and if you want them to not scan = your server you just ask. But as I say it=92s not just them running that ex= ploit now, it comes from IP=92s all over. 

KR
Mitchell



From: Tawasol Go <tawasolgo@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  [users@httpd] Unknown accepted t= raffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hittin= g my site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\= x1d\b\xe6k\xbb\xe5L" 200 48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb= :\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x= 9d\xbe\xf5\xfc\xc5\"\xed\xa3u" 200 48605


Please advise.

Thanks,
Karim
--_000_BF16AA6C527CC4479B32F99C467311F01BDE2D95SDFEXDB02arcdsc_--