View previous topic :: View next topic |
Author |
Message |
jerann n00b
Joined: 26 Jan 2005 Posts: 67
|
Posted: Sun Oct 31, 2010 8:58 pm Post subject: Strange requests in Apache error log |
|
|
So today I was working on some php coding on my local development server. Lately I've been using tail -f on my Apache log to see php errors as they come up, and I noticed the following line popup:
Code: |
[Sun Oct 31 16:53:10 2010] [error] [client 65.27.237.194] Invalid method in request \x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B
|
I don't recognize 65.27.237.194 (it's not me), and I don't really understand the error. I never paid very close attention to my Apache log before, but I saw several other similar lines in the log when I checked just now. Is that anything I should be worried about? |
|
Back to top |
|
|
BradN Advocate
Joined: 19 Apr 2002 Posts: 2391 Location: Wisconsin (USA)
|
Posted: Sun Oct 31, 2010 9:01 pm Post subject: |
|
|
Looks like an exploit attempt of some kind. Probably if you're seeing an error, it's not successful, but I really don't know enough to say for sure. |
|
Back to top |
|
|
jerann n00b
Joined: 26 Jan 2005 Posts: 67
|
Posted: Sun Oct 31, 2010 9:16 pm Post subject: |
|
|
Well, I checked back, and it looks like I've got requests that look like that going back for a couple of years from different IP addresses. If it's some kind of attack or exploit, it's been going on for a long time (since the pretty much the start of the log in Feb 2009).
Does anything in particular make it look like an attack, or just the fact that something unusual is in the error log? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Sun Oct 31, 2010 10:27 pm Post subject: |
|
|
jerann,
\x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B is a string of hex characters.
There is no reason to have that in any legitimate request. Its probably 'shell code'. That is a piece of program that the attacker would like executed.
All the more reason to run an odd arch as a server, since even if the request were to succeed, the shell code won't run and the attack will still fail. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
jerann n00b
Joined: 26 Jan 2005 Posts: 67
|
Posted: Mon Nov 01, 2010 12:05 am Post subject: |
|
|
I have some more information. I checked /var/log/apache2/access_log and saw quite a few odd entries in there as well. I filtered out everything that wasn't a GET or POST request and ended up with a 993-line file. The top might shed some light on it:
Code: |
61.178.166.94 - - [08/Feb/2009:02:54:50 -0600] "\x13BitTorrent protocol" 400 285
58.217.190.50 - - [08/Feb/2009:02:55:19 -0600] "\x0e'\xd5\xd3Zc\x05\x93#M&\x02\xefa\x89q" 501 291
|
Those were the very first 2 lines that weren't typical GET/POST requests that are legit. That "BitTorrent" part could have something to do with it... I don't regularly use BitTorrent myself, and why would anything be happening over port 80 for that anyway?
I also saw some like this:
Code: |
209.30.39.114 - - [02/Jun/2010:01:16:31 -0500] "SEARCH /\x90\xc9\xc9 ... (incredibly long list of \xc9s snipped)... \x90\x90\x90\x90 ... (incredibly long list of \x90s snipped)... \x90" 414 309
|
In total the string itself was 28124 characters (after the \ and before the end quote). There were several that looked like that. I guess I'm just wondering... does this look like an attack targeted specifically at my server, or is this some kind of random script probing the Internet for vulnerable servers? I have a dynamic IP address (just a home connection), but I set up a dns through dyndns to point to my server for convenience. Does anyone else with an Internet-facing server get stuff like this? For the most part, I'm the only one who connects to this server that I know of. I also haven't noticed any problems, so unless I'm unwittingly part of a botnet or something, this appears to be harmless. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Mon Nov 01, 2010 5:56 pm Post subject: |
|
|
jerann,
61.178.166.94 and 58.217.190.50 are both in China
209.30.39.114 is in the USA
I suspect the attacks are not targeted - they will be scripts scanninig the IPv4 address space, then testing anything open on port 80.
The machines the attacks come from may well be compromised. The cynic in me suggests that complaining to abuse@ in china won't help but I have had a good response from US ISPs when I've reported possibly compromised systems. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
jerann n00b
Joined: 26 Jan 2005 Posts: 67
|
Posted: Thu Nov 04, 2010 5:28 am Post subject: |
|
|
Well, for the moment I've swapped my apache port and let my router block all other ports. I haven't had any other unusual requests on it in the last few days since I did that, so I'll keep an eye on it, but otherwise I'm not too worried. Thanks |
|
Back to top |
|
|
|