V
V
Valery Dmitriev2013-01-21 21:38:00
Nginx
Valery Dmitriev, 2013-01-21 21:38:00

What vulnerability are the bots trying to exploit?

There are a lot of entries in the access.log generated by Nginx that look like this:

80.83.239.83 - - [06/Jan/2013:07:11:06 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 166 "-" "-"
176.100.70.53 - - [07/Jan/2013:20:39:24 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x02\x00\x00d\x00d\x00\x00ЪЛ\x00\x11Ducky\x00\x01\x00\x04\x00\x00\x002\x00\x00ЪН\x00\x0EAdobe\x00dю\x00\x00\x00\x01Ъш\x00└\x00\x08\x06\x06\x06\x06\x06\x08\x06\x06\x08\x0C\x08\x07\x08\x0C\x0E" 400 166 "-" "-"
46.181.9.236 - - [07/Jan/2013:15:20:03 +0400] "ЪьЪА\x00ФExif\x00\x00II*\x00\x08\x00\x00\x00\x05\x00\x12\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x001\x01\x02\x00\x1C\x00\x00\x00J\x00\x00\x002\x01\x02\x00\x14\x00\x00\x00f\x00\x00\x00\x13\x02\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00i┤\x04\x00\x01\x00\x00\x00z\x00\x00\x00\x00\x00\x00\x00ACD Systems Digital Imaging\x002009:06:21 20:56:21\x00\x05\x00\x00░\x07\x00\x04\x00\x00\x000220░▓\x02\x00\x03\x00\x00\x0046\x00\x00\x02═\x04\x00\x01\x00\x00\x00╗\x02\x00\x00\x03═\x04\x00\x01\x00\x00\x00я\x01\x00\x00\x05═\x04\x00\x01\x00\x00\x00╪\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x02\x00\x04\x00\x00\x00R98\x00\x02\x00\x07\x00\x04\x00\x00\x000100\x00\x00\x00\x00    Ъю\x00\x11\x08\x01я\x02╗\x03\x01!\x00\x02\x11\x01\x03\x11\x01Ъш\x00└\x00\x03\x02\x02\x02\x02\x01\x03\x02\x02\x02\x03\x03\x03\x03\x04\x07\x04\x04\x04\x04\x04\x09\x06\x06\x05\x07" 400 166 "-" "-"
176.213.180.115 - - [07/Jan/2013:16:27:16 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00Ъш\x00C\x00\x02\x01\x01\x02\x01\x01\x02\x02\x02\x02\x02\x02\x02\x02\x03\x05\x03\x03\x03\x03\x03\x06\x04\x04\x03\x05\x07\x06\x07\x07\x07\x06\x07\x07\x08\x09\x0B\x09\x08\x08" 400 166 "-" "-"
31.135.128.178 - - [08/Jan/2013:14:54:29 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00ЪЧ\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 65" 400 166 "-" "-"
176.194.162.192 - - [21/Dec/2012:23:47:57 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00ЪА:2Exif\x00\x00MM\x00*\x00\x00\x00\x08\x00\x0C\x01\x0E\x00\x02\x00\x00\x00\x01\x00\x00\x00\x00\x01\x0F\x00\x02\x00\x00\x00\x05\x00\x00\x08╙\x01\x10\x00\x02\x00\x00\x00" 400 0 "-" "-"
176.15.36.128 - - [25/Dec/2012:22:08:15 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x03\x02\x02\x03\x02\x02\x03\x03\x03\x03\x04\x03\x03\x04\x05\x08\x05\x05\x04\x04\x05" 400 0 "-" "-"
37.193.38.5 - - [25/Dec/2012:14:21:11 +0400] "ЪьЪЮ\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00Ъш\x00C\x00\x05\x03\x04\x04\x04\x03\x05\x04\x04\x04\x05\x05\x05\x06\x07\x0C\x08\x07\x07\x07\x07\x0F\x0B\x0B\x09\x0C\x11\x0F\x12\x12\x11\x0F\x11\x11\x13\x16\x1C\x17\x13\x14\x1A\x15\x11\x11\x18!\x18\x1A\x1D\x1D\x1F\x1F\x1F\x13\x17\x22$\x22\x1E$\x1C\x1E\x1F\x1EЪш\x00C\x01\x05\x05\x05\x07\x06\x07\x0E\x08\x08\x0E\x1E\x14\x11\x14\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1E\x1EЪю\x00\x11\x08\x01t\x02-\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01Ъд\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" 400 0 "-" "-"

Etc.
I understand that bots are trying to find some kind of vulnerability in Nginx (or other web server).
What?

You can look in your logs like this:
cat access.log | grep '" 400' | grep -v '"-" 400 0 "-" "-"' > 400.log


SOLVED
These are not bots, but browser glitches.
Thanks to all who answered.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
V
Valery Dmitriev, 2013-01-29
@rotor

The answer came unexpectedly. Maybe someone will come in handy, so I'll write it here.
I have an Ajax photo upload form on my site - a slightly modified github.com/valums/file-uploader/ . I installed it when it was still in version 0.x.
A site visitor writes to me - his photos are not uploaded through this form. I find out, the Opera browser. Checked - I have everything loaded. Please send photos. Sent, really does not load.
I got into the logs, I look, and there is this:

*.*.*.* - - [28/Jan/2013:23:06:55 +0400] "яШяа\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00яю\x00;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75" 400 0 "-" "-"

*.*.*.* is my IP address.
The implementation of sending a file via XMLHttpRequest was implemented as follows:
xhr. open ( "POST" ,  queryString ,  true ) ;
xhr. setRequestHeader ( "X-Requested-With" ,  "XMLHttpRequest" ) ;
xhr. setRequestHeader ( "X-File-Name" ,  encodeURIComponent ( name ) ) ;
xhr. setRequestHeader ( "Content-Type" ,  "application/octet-stream" ) ;
xhr. send ( file ) ;

Here file is an object of type File
I haven't figured it out yet, but it looks like Opera breaks the request body on certain files. And the server perceives one request from it as two invalid requests to one open connection.
Altered the block of sending a file. Did it like this:
xhr. open ( "POST" ,  queryString ,  true ) ;
xhr. setRequestHeader ( "X-Requested-With" ,  "XMLHttpRequest" ) ;
if  ( typeof  FormData  !=  'undefined' )  {
    var  formData  =  new  FormData ( ) ;
    formData. append ( 'imgfile' ,  file ) ;
    file  =  formData ;
}  else  {
    xhr. setRequestHeader ( "Content-Type" ,  "application/octet-stream" ) ;
    xhr. setRequestHeader ( "X-File-Name" ,  encodeURIComponent ( name ) ) ;
    if ( typeof  file. type  !=  'undefined'  &&  file. type . length )  {
        xhr. setRequestHeader ( "X-Mime-Type" ,  file. type ) ;
    }
    xhr. setRequestHeader( "Cache-Control" ,  "no-cache" ) ;
}
xhr. send ( file ) ;

Everything worked.
PS valums/file-uploader has already grown to version 3.2 (and even renamed), but as the developer himself writes, he refused to support Opera. So, perhaps this problem is relevant in the current version.

J
justeen, 2013-01-22
@justeen

Of course this is just a guess. They are trying to upload a file to you that is disguised as an image, but contains scripts. If it manages to be uploaded to you and executed, PROFIT awaits the attackers.

L
lubezniy, 2013-01-21
@lubezniy

Perhaps this is not a search for a vulnerability, but simply a port scan for the presence of aliens of some other service (not HTTP).

T
theaspin, 2013-01-21
@theaspin

Something similar:
http://www.chilkatforum.com/questions/181/http-error-400

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question