Answer the question
In order to leave comments, you need to log in
Strange queries in Apache logs?
Good day!
The question is related to the following: Apache, version 2.2.22, is running on my machine, its setting is almost default. Visible from the net, did not make special rules for .htaccess.
Today I looked into the access logs, I noticed several interesting lines there, namely:
(IP1 was here) - - [21/Apr/2012:03:47:21 +0000] "\x9dq\t\xc54\xe0 Sb\xf0\ x17\x16\xd1Vs\xd1\xd0\xf2<F\xeb+\x9b\xea.=\"8\xea\x12\xc8\xe9\x8c\xb8)\x9f" 400 226
(IP2 was here) - - [ 21/Apr/2012:04:15:47 +0000] "\x17\xb8>\xee\x19\x0c\xdd\xe2\x05\xc3\xcc\v\x81\x9f\xc9\b\xd08\x06 \x1a\xa5\x8d>\xf4N\xcb\x03\x86\xdf\xb9\x87\x02\r\xdb\xee\x02\xda\xb1\x1f\x80\x11N6\xd7E\xed\xee\xd5" 400 226
(IP3 was here) - - [21/Apr/2012:06:51:07 +0000] ";\xaf\x7f]\x19\xf0\xdd\xcf\xf8\[email protected]$\xb1"
(here was IP4) - - [21/Apr/2012:07:13:04 +0000] "-" 408
In the error logs, I compared the following entries by time:
[Sat Apr 21 03:47:24 2012] [error] [client (here was IP1)] request failed: error reading the headers
[Sat Apr 21 04:15:55 2012] [error] [client (here was IP2)] request failed: error reading the headers
Now the question is what were they for requests? As I understand it, these are exploits, the code that they tried to shove into the headers?
And I noticed that if the first 2 IPs coincide in time in each of the logs, then the third one, indicated above as IP3, did not cause an error and was successfully received.
Well, in parallel, what are the risks of such “games”, should you take any actions (perhaps, configure Apache accordingly) or score and just keep Apache “up-to-date”?
Answer the question
In order to leave comments, you need to log in
Yes, it’s just that bots run around the network, sort through the ranges of ip addresses and sort out possible vulnerabilities… If you have software with all the necessary patches, then hammer it and that’s it…
Crowds of such people run around on my server… And in 5 years – nothing…
What other slashes in reverse order? \xHH is the hex representation of a byte. Binary data is passed to the web server, so there is no method in the logs and their hex representation is displayed.
I just tried to telnet
to myself some rubbish, this is what appeared in the logs:
Although it looks like a buffer overflow attack, I doubt it's an exploit. Perhaps these requests are not intended for the web server at all, but for some reason they come to you on port 80.
The truth confuses that the statuses of the answer are different. By the way, the size of the main page is not by chance 4892 bytes?
And I have such along with "GET /php/admin" and similar ban by IP script. Just in case…
I guessed that the bots were walking around deepazanou, because. I have a dynamic IP, and somehow I can’t call it a targeted attack.
Another question, specifically on this entry:
(IP3 was here) - - [21/Apr/2012:06:51:07 +0000] ";\xaf\x7f]\x19\xf0\xdd\xcf\xf8\ [email protected]$\xb1" 200 4892
I understand that the server accepted this request (if the response code is 200), but how do you know how he reacted to it, and were there any consequences?
>And I have such, along with "GET /php/admin" and similar ban by IP script. Just in case...
Yes, these comrades are logging just in batches)))
>well, go to this url and take a look
And so I understand this line is not a URL in principle, here even the slashes are in the reverse order, as you can see. Plus, in the logs, even with such a substitution, it is clearly recorded: GET request is a curve, the file was not found. Whereas with the original entries in the logs there is no way to transfer data (POST / GET), just the time and this line, i.e. as if just someone was knocking on a visit, without a specific request for the contents of the server.
I looked on the net, in particular, there are a lot of similar topics on the same Stackoverflow, people also wondered what kind of requests in the logs, they came to the conclusion that this was really an attack, a shellcode, to be more precise.
Through telnet? Hmm, I didn’t think about it, I inserted the line into the browser, which changed all backslashes (\) to just slashes (/) and a GET request was recorded in the logs, I meant this when I was talking about the order (sorry, I didn’t get enough sleep, so I didn’t expressed exactly).
As for the main account, there really is this figure, I just looked in the properties: 4.77 KB (4,892 bytes). What is it and how does it relate to these crooked queries?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question