Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Strange requests in Apache error log
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jerann
n00b
n00b


Joined: 26 Jan 2005
Posts: 67

PostPosted: Sun Oct 31, 2010 8:58 pm    Post subject: Strange requests in Apache error log Reply with quote

So today I was working on some php coding on my local development server. Lately I've been using tail -f on my Apache log to see php errors as they come up, and I noticed the following line popup:

Code:

[Sun Oct 31 16:53:10 2010] [error] [client 65.27.237.194] Invalid method in request \x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B


I don't recognize 65.27.237.194 (it's not me), and I don't really understand the error. I never paid very close attention to my Apache log before, but I saw several other similar lines in the log when I checked just now. Is that anything I should be worried about?
Back to top
View user's profile Send private message
BradN
Advocate
Advocate


Joined: 19 Apr 2002
Posts: 2391
Location: Wisconsin (USA)

PostPosted: Sun Oct 31, 2010 9:01 pm    Post subject: Reply with quote

Looks like an exploit attempt of some kind. Probably if you're seeing an error, it's not successful, but I really don't know enough to say for sure.
Back to top
View user's profile Send private message
jerann
n00b
n00b


Joined: 26 Jan 2005
Posts: 67

PostPosted: Sun Oct 31, 2010 9:16 pm    Post subject: Reply with quote

Well, I checked back, and it looks like I've got requests that look like that going back for a couple of years from different IP addresses. If it's some kind of attack or exploit, it's been going on for a long time (since the pretty much the start of the log in Feb 2009).

Does anything in particular make it look like an attack, or just the fact that something unusual is in the error log?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46339
Location: 56N 3W

PostPosted: Sun Oct 31, 2010 10:27 pm    Post subject: Reply with quote

jerann,

\x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B is a string of hex characters.
There is no reason to have that in any legitimate request. Its probably 'shell code'. That is a piece of program that the attacker would like executed.

All the more reason to run an odd arch as a server, since even if the request were to succeed, the shell code won't run and the attack will still fail.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jerann
n00b
n00b


Joined: 26 Jan 2005
Posts: 67

PostPosted: Mon Nov 01, 2010 12:05 am    Post subject: Reply with quote

I have some more information. I checked /var/log/apache2/access_log and saw quite a few odd entries in there as well. I filtered out everything that wasn't a GET or POST request and ended up with a 993-line file. The top might shed some light on it:

Code:

61.178.166.94 - - [08/Feb/2009:02:54:50 -0600] "\x13BitTorrent protocol" 400 285
58.217.190.50 - - [08/Feb/2009:02:55:19 -0600] "\x0e'\xd5\xd3Zc\x05\x93#M&\x02\xefa\x89q" 501 291


Those were the very first 2 lines that weren't typical GET/POST requests that are legit. That "BitTorrent" part could have something to do with it... I don't regularly use BitTorrent myself, and why would anything be happening over port 80 for that anyway?

I also saw some like this:

Code:

209.30.39.114 - - [02/Jun/2010:01:16:31 -0500] "SEARCH /\x90\xc9\xc9 ... (incredibly long list of \xc9s snipped)... \x90\x90\x90\x90 ... (incredibly long list of \x90s snipped)... \x90" 414 309


In total the string itself was 28124 characters (after the \ and before the end quote). There were several that looked like that. I guess I'm just wondering... does this look like an attack targeted specifically at my server, or is this some kind of random script probing the Internet for vulnerable servers? I have a dynamic IP address (just a home connection), but I set up a dns through dyndns to point to my server for convenience. Does anyone else with an Internet-facing server get stuff like this? For the most part, I'm the only one who connects to this server that I know of. I also haven't noticed any problems, so unless I'm unwittingly part of a botnet or something, this appears to be harmless.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46339
Location: 56N 3W

PostPosted: Mon Nov 01, 2010 5:56 pm    Post subject: Reply with quote

jerann,

61.178.166.94 and 58.217.190.50 are both in China
209.30.39.114 is in the USA

I suspect the attacks are not targeted - they will be scripts scanninig the IPv4 address space, then testing anything open on port 80.

The machines the attacks come from may well be compromised. The cynic in me suggests that complaining to abuse@ in china won't help but I have had a good response from US ISPs when I've reported possibly compromised systems.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jerann
n00b
n00b


Joined: 26 Jan 2005
Posts: 67

PostPosted: Thu Nov 04, 2010 5:28 am    Post subject: Reply with quote

Well, for the moment I've swapped my apache port and let my router block all other ports. I haven't had any other unusual requests on it in the last few days since I did that, so I'll keep an eye on it, but otherwise I'm not too worried. Thanks :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum