You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Larry W Burton <lw...@ncat.edu> on 2011/05/31 16:16:00 UTC
Re: [users@httpd] strange encoded requests coming in to my server - like
'
Jason,
Congratulations. You are the likely target of a kiddie script attempting a
buffer overflow or "dot dot" variant. Check your error logs and your access
logs to ensure that the attempts were not successful. You can expect 10-20
of these attacks per day.
Larry
Dr. Larry Burton
Associate Professor
Department of Electronics, Computers, and Information Technology
School of Technology
North Carolina Agricultural and Technical State University
-----Jason Vas Dias <ja...@gmail.com> wrote: -----
To: users@httpd.apache.org
From: Jason Vas Dias <ja...@gmail.com>
Date: 05/31/2011 10:08AM
Subject: [users@httpd] strange encoded requests coming in to my server -
like ' "\x80F\x01\x03\x01" ' ??
Now finally able to host a website on my home static-IP ADSL connection,
using Linux (FC-14) apache httpd-2.2.17-1.fc14.x86_64 ,
with "IP-passthrough" and "Full NAT" enabled on the ADSL router so it
assigns my host its own WAN address ,
I'm seeing these strange entries in the access log :
117.241.90.130 - - [31/May/2011:07:11:21 +0000]
"\xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX\"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3"
501 354 "-" "-"
180.94.69.130 - - [31/May/2011:07:32:42 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
89.73.88.177 - - [31/May/2011:08:11:26 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
217.117.64.236 - - [31/May/2011:08:34:20 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
195.138.167.98 - - [31/May/2011:08:39:52 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
89.96.190.244 - - [31/May/2011:08:50:51 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
195.138.167.98 - - [31/May/2011:09:20:20 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
217.117.64.236 - - [31/May/2011:10:04:43 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
62.141.88.70 - - [31/May/2011:11:40:13 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
178.187.163.117 - - [31/May/2011:12:03:36 +0000] "\x80F\x01\x03\x01" 501
313 "-" "-"
118.172.80.131 - - [31/May/2011:12:11:57 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
196.44.185.151 - - [31/May/2011:12:25:23 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
62.141.88.90 - - [31/May/2011:12:31:15 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
213.0.79.214 - - [31/May/2011:13:22:46 +0000] "\x80F\x01\x03\x01" 501 313
"-" "-"
127.0.0.1 - - [31/May/2011:13:58:44 +0000] "GET /manual/ HTTP/1.1" 200 7709
"-" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415
Firefox/4.0b13pre"
127.0.0.1 - - [31/May/2011:13:58:54 +0000] "GET /manual/logs.html HTTP/1.1"
200 33676 "http://127.0.0.1/manual/" "Mozilla/5.0 (X11; Linux x86_64;
rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre"
Can anyone please explain the meaning of these /var/log/httpd/access_log
entries ?
I guess this is just opportunist hosts trying to connect to port 80 / port
443 with a garbage protocol ?
If so, why are log entries made in the access log and not in the error log
?
Or is this some server misconfiguration ?
Or perhaps some ADSL router issue ?
Isn't there a log format that will print the server's socket address
IP:PORT and / or VirtualHost name in the access log ?
Can't seem to find it.
Any suggestions much appreciated,
Regards,
Jason
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to third parties.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] strange encoded requests coming in to my server - like'
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, May 31, 2011 at 10:35 AM, Jason Vas Dias
<ja...@gmail.com>wrote:
> But I had the impression from reading the documentation that the
> "access_log" was to
> record actual ACCESSes , ie. for requests that at least pass the "is a
> valid HTTP request" test ,
> and that non-requests, if logged at all, should appear only in the
> error_log .
>
A request that returns a 404 (or any other error code) is still a valid
request. HTTPD can not return an error response if there was no request for
it.
> Indeed, for every such bad request received, I see error log entries like
> :
>
> [Tue May 31 07:11:22 2011] [error] [client 117.241.90.130] Invalid method
> in request
> \xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3
>
> so this is definitely "not a request" - I wouldn't have expected anything
> about this event in the
> access log, because no "access" to anything resulted from this event .
>
Anyone who does log analysis (read Awstats or similar) can tell you how
important the errors in the access log are.
The error log is free-form; any part of the web server, including plugins,
can write to it and they don't use the same format. This makes the log file
very hard if not impossible to parse by machine.
The access log is only written to in the specific format defined in the
configuration, which makes it easy to parse because evey line can be
expected to have the same format.
Re: [users@httpd] strange encoded requests coming in to my server - like'
Posted by Jason Vas Dias <ja...@gmail.com>.
On Tuesday 31 May 2011 15:16:00 Larry W Burton wrote:
> Jason,
> Congratulations. You are the likely target of a kiddie script attempting a
> buffer overflow or "dot dot" variant. Check your error logs and your access
> logs to ensure that the attempts were not successful. You can expect 10-20
> of these attacks per day.
> Larry
>
Much thanks for your swift & helpful response, Larry !
But I had the impression from reading the documentation that the "access_log" was to
record actual ACCESSes , ie. for requests that at least pass the "is a valid HTTP request" test ,
and that non-requests, if logged at all, should appear only in the error_log .
Indeed, for every such bad request received, I see error log entries like :
[Tue May 31 07:11:22 2011] [error] [client 117.241.90.130] Invalid method in request \xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3
so this is definitely "not a request" - I wouldn't have expected anything about this event in the
access log, because no "access" to anything resulted from this event .
Thanks anyway - I guess I can just ignore these.
All the best,
Jason
> Dr. Larry Burton
> Associate Professor
> Department of Electronics, Computers, and Information Technology
> School of Technology
> North Carolina Agricultural and Technical State University
>
> -----Jason Vas Dias <ja...@gmail.com> wrote: -----
>
> To: users@httpd.apache.org
> From: Jason Vas Dias <ja...@gmail.com>
> Date: 05/31/2011 10:08AM
> Subject: [users@httpd] strange encoded requests coming in to my server -
> like ' "\x80F\x01\x03\x01" ' ??
>
> Now finally able to host a website on my home static-IP ADSL connection,
> using Linux (FC-14) apache httpd-2.2.17-1.fc14.x86_64 ,
> with "IP-passthrough" and "Full NAT" enabled on the ADSL router so it
> assigns my host its own WAN address ,
> I'm seeing these strange entries in the access log :
>
> 117.241.90.130 - - [31/May/2011:07:11:21 +0000]
> "\xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX\"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3"
> 501 354 "-" "-"
> 180.94.69.130 - - [31/May/2011:07:32:42 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 89.73.88.177 - - [31/May/2011:08:11:26 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 217.117.64.236 - - [31/May/2011:08:34:20 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 195.138.167.98 - - [31/May/2011:08:39:52 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 89.96.190.244 - - [31/May/2011:08:50:51 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 195.138.167.98 - - [31/May/2011:09:20:20 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 217.117.64.236 - - [31/May/2011:10:04:43 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 62.141.88.70 - - [31/May/2011:11:40:13 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 178.187.163.117 - - [31/May/2011:12:03:36 +0000] "\x80F\x01\x03\x01" 501
> 313 "-" "-"
> 118.172.80.131 - - [31/May/2011:12:11:57 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 196.44.185.151 - - [31/May/2011:12:25:23 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 62.141.88.90 - - [31/May/2011:12:31:15 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 213.0.79.214 - - [31/May/2011:13:22:46 +0000] "\x80F\x01\x03\x01" 501 313
> "-" "-"
> 127.0.0.1 - - [31/May/2011:13:58:44 +0000] "GET /manual/ HTTP/1.1" 200 7709
> "-" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415
> Firefox/4.0b13pre"
> 127.0.0.1 - - [31/May/2011:13:58:54 +0000] "GET /manual/logs.html HTTP/1.1"
> 200 33676 "http://127.0.0.1/manual/" "Mozilla/5.0 (X11; Linux x86_64;
> rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre"
>
> Can anyone please explain the meaning of these /var/log/httpd/access_log
> entries ?
>
> I guess this is just opportunist hosts trying to connect to port 80 / port
> 443 with a garbage protocol ?
> If so, why are log entries made in the access log and not in the error log
> ?
>
> Or is this some server misconfiguration ?
> Or perhaps some ADSL router issue ?
>
> Isn't there a log format that will print the server's socket address
> IP:PORT and / or VirtualHost name in the access log ?
> Can't seem to find it.
>
> Any suggestions much appreciated,
> Regards,
> Jason
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
> NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to third parties.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org