[users@httpd] Strange access.log entry...

[Red-Tail Books <in...@redtailbooks.com>]

Saw this in my access.log this morning...

169.229.3.91 - - [08/Jul/2016:05:44:24 -0700] 
"^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
Can someone more knowledgeable explain what the "request" was and why it 
was successful? And what 11k of data did apache serve?

Thanks
dave

Re: [users@httpd] Strange access.log entry...

[Spork Schivago <sp...@gmail.com>]

I'll be sure to keep you in the loop Red-Tail Books.   If I were to take a
guess, I'd guess that hex value is the key to fully understanding this.
Wish I knew more about exploits and stuff.   I remember similar things like
that when I was kid and used to play around with stuff like Metasploit.   A
lot of the exploits had similar payloads I think they were called.  That
peaked my interest a bit.

I too am fairly new to operating a server and I know when I see weird stuff
like that, I get worried.   Thankfully, I've been fortunate enough to have
complete strangers explain stuff to me and put my mind at rest.   It's just
nice to try and return the favour sometime, you know?

Best of luck!

Ken

I

On Fri, Jul 8, 2016 at 6:51 PM, Red-Tail Books <in...@redtailbooks.com>
wrote:

> Wow Ken, Thanks for the thorough research. I just did a whois and figured
> it wasn't an attack.
>
> But being a complete rookie (no experience with linux or servers prior to
> creating a droplet on DO 2 weeks ago)
> I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
> and then I saw that the request was successful (status 200) instead of a
> 404. And what 11k of data did my server send in response...
>
> In 13 days of logs this IP has only hit my server once and this is the
> only time I've seen such a request... So no issue with their legitimate
> research...
>
> Thanks for tracking this down and please keep me in the loop if you hear
> back from them again.
> dave
>
>
> On 7/8/2016 2:41 PM, Spork Schivago wrote:
>
> Okay Red-Tail Books, I got more information for you!   This is the latest
> response I got:
>
> "The malware is installed via a range of vulnerabilities including
> social engineering.  This scan is really testing for the malware's
> rendezvous protocol for command and control.  As a rule, we have been
> informing law enforcement about infected machines and they have been
> doing victim notification and thus if your correspondent is infected
> they will be contacted. However, I believe that this particular
> malware works exclusively with IIS and thus an Apache user is unlikely
> ot have much to worry about.   Unfortunately, I don't know the precise
> meaning of the string or what it elicits and Paul (cc'd) who is the
> grad student lead on this project is currently away on his honeymoon,
> but I'm sure we can respond more succinctly once he returns"
>
> So, it seems that you're in the clear and have nothing to worry about,
> mainly because you're running Apache and not IIS.   I wish I could answer
> what the actual hex string means and what Apache responded with.   Perhaps
> when Paul gets back from his honeymoon, we'll receive an answer.
>
> Best of luck.
>
> Ken.
>
> On Fri, Jul 8, 2016 at 5:32 PM, Spork Schivago <sp...@gmail.com>
> wrote:
>
>> I contacted one of the people involved with CESR and I have received a
>> response.   This is what they say:
>>
>> "Yes, this is a scan from our group.  It is not in fact looking for
>> a vulnerability, but for a very specific infection.  The scan is
>> harmless, but there is a very rare and stealthy piece of malware for
>> which this scan will elicit a response (indicating that the server is
>> compromised and is awaiting instructions).  The scan is part of a
>> survey looking at how this particular threat actor has been targeting
>> different organizations.  If the scan is causing a problem for
>> someone, please have them contact me and I can ask that their site be
>> removed from the scan."
>>
>> I am waiting to hear back from him to see if there's away to tell if
>> you're actually vulnerable to this malware or not.  The good news is
>> your site isn't under attack or anything.  Once I hear back from him,
>> I'll let you know what he says.
>>
>> Thanks!
>>
>> On Fri, Jul 8, 2016 at 3:56 PM, Spork Schivago <sp...@gmail.com>
>> wrote:
>>
>>> I think I can shed a little light on this.   I believe it has something
>>> to do with exploits / vulnerabilities.   I'm not sure what the hex values
>>> are, but I'm guessing that's part of the exploit.   I've tried searching
>>> for it but couldn't find anything.   Maybe the query is confusing the
>>> search engines?
>>>
>>> Anyway, the ip address....if you research that IP address, you see that
>>> it resolves to: researchscan1.eecs.berkeley.edu
>>>
>>> If you go there, you see the message:
>>>
>>> Hello,
>>>
>>> This is a research scanning machine from the University of California at
>>> Berkeley. This machine regularly conducts scans of the entire Internet so
>>> you may have been scanned as part of an ongoing research project.
>>>
>>> If you have been or are currently being scanned and would like to opt
>>> out, please email cesr-scanning@lists.eecs.berkeley.edu with the IP
>>> ranges you would like to exclude in CIDR format and we will respond
>>> immediately.
>>>
>>>
>>> If you search google for the IP address, you see a lot of people saying
>>> this IP address tried hacking into their site or scanned it or something
>>> along those lines.   If I were to take a guess, just a guess, I'd guess
>>> that maybe they're conducting a large scan of the internet, trying to find
>>> servers that are exploitable for research purposes.   You might be able to
>>> find more information or someone more knowledgeable might be able to
>>> provide better advice on what to do.
>>>
>>> I've also googled cesr and found this:
>>>
>>>
>>> Center for Evidence-based Security Research (CESR)
>>> The Center for Evidence-based Security Research is an ongoing
>>> collaboration with researchers at the University of California, San Diego,
>>> seeking to understand modern Internet threats and develop effective
>>> countermeasures using analysis rooted in empirical observation.
>>>
>>>
>>> I found that here:
>>>
>>>  https://www.eecs.berkeley.edu/Research/Areas/Centers/
>>>
>>>
>>> To me, it seems like it's a valid research and they're not actually
>>> trying to do bad stuff, they're just looking for exploitable servers and
>>> making a list of the issues they found.   I'd be more interested in knowing
>>> if they actually got in.   If they found something, it's just a matter of
>>> time before someone who really wants to do bad stuff finds the same exploit
>>> and takes advantage of it.
>>>
>>> I hope this helps.
>>>
>>> Sincerely,
>>> Ken
>>>
>>>
>>> On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books <in...@redtailbooks.com>
>>> wrote:
>>>
>>>> Saw this in my access.log this morning...
>>>>
>>>> 169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
>>>> "^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
>>>> Can someone more knowledgeable explain what the "request" was and why
>>>> it was successful? And what 11k of data did apache serve?
>>>>
>>>> Thanks
>>>> dave
>>>>
>>>
>>>
>>
>
>
> --
> Red-Tail Books
> 204 N Florence St
> Casa Grande, Az520-836-0370
>
>

Re: [users@httpd] Re: Strange access.log entry...

[Dr James Smith <js...@sanger.ac.uk>]

Is the response the same as the response for / - thats' all I can assume...?


On 09/07/2016 14:00, Jonesy wrote:
> On Fri, 8 Jul 2016 15:51:27 -0700, Red-Tail Books wrote:
>> --------------D86F2E214EC5EE5DBED2B3B9
>> Content-Type: text/plain; charset=utf-8; format=flowed
>> Content-Transfer-Encoding: 7bit
>>
>> Wow Ken, Thanks for the thorough research. I just did a whois and
>> figured it wasn't an attack.
>>
>> But being a complete rookie (no experience with linux or servers prior
>> to creating a droplet on DO 2 weeks ago)
>> I was curious to not see any request prefix (GET|POST|CONNECT...etc...)
>> and then I saw that the request was successful (status 200) instead of a
>> 404. And what 11k of data did my server send in response...
>>
>> In 13 days of logs this IP has only hit my server once and this is the
>> only time I've seen such a request... So no issue with their legitimate
>> research...
> All well and good, I suppose.
> I still wonder why the fetch resulted in a "200 OK".....
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Strange access.log entry...

[Jonesy <SP...@jonz.net>]

On Fri, 8 Jul 2016 15:51:27 -0700, Red-Tail Books wrote:
> --------------D86F2E214EC5EE5DBED2B3B9
> Content-Type: text/plain; charset=utf-8; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Wow Ken, Thanks for the thorough research. I just did a whois and 
> figured it wasn't an attack.
>
> But being a complete rookie (no experience with linux or servers prior 
> to creating a droplet on DO 2 weeks ago)
> I was curious to not see any request prefix (GET|POST|CONNECT...etc...) 
> and then I saw that the request was successful (status 200) instead of a 
> 404. And what 11k of data did my server send in response...
>
> In 13 days of logs this IP has only hit my server once and this is the 
> only time I've seen such a request... So no issue with their legitimate 
> research...

All well and good, I suppose.  
I still wonder why the fetch resulted in a "200 OK".....


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Strange access.log entry...

[Red-Tail Books <in...@redtailbooks.com>]

Wow Ken, Thanks for the thorough research. I just did a whois and 
figured it wasn't an attack.

But being a complete rookie (no experience with linux or servers prior 
to creating a droplet on DO 2 weeks ago)
I was curious to not see any request prefix (GET|POST|CONNECT...etc...) 
and then I saw that the request was successful (status 200) instead of a 
404. And what 11k of data did my server send in response...

In 13 days of logs this IP has only hit my server once and this is the 
only time I've seen such a request... So no issue with their legitimate 
research...

Thanks for tracking this down and please keep me in the loop if you hear 
back from them again.
dave

On 7/8/2016 2:41 PM, Spork Schivago wrote:
> Okay Red-Tail Books, I got more information for you!   This is the 
> latest response I got:
>
> "The malware is installed via a range of vulnerabilities including
> social engineering.  This scan is really testing for the malware's
> rendezvous protocol for command and control.  As a rule, we have been
> informing law enforcement about infected machines and they have been
> doing victim notification and thus if your correspondent is infected
> they will be contacted. However, I believe that this particular
> malware works exclusively with IIS and thus an Apache user is unlikely
> ot have much to worry about.  Unfortunately, I don't know the precise
> meaning of the string or what it elicits and Paul (cc'd) who is the
> grad student lead on this project is currently away on his honeymoon,
> but I'm sure we can respond more succinctly once he returns"
>
> So, it seems that you're in the clear and have nothing to worry about, 
> mainly because you're running Apache and not IIS.   I wish I could 
> answer what the actual hex string means and what Apache responded 
> with.   Perhaps when Paul gets back from his honeymoon, we'll receive 
> an answer.
>
> Best of luck.
>
> Ken.
>
> On Fri, Jul 8, 2016 at 5:32 PM, Spork Schivago 
> <sporkschivago@gmail.com <ma...@gmail.com>> wrote:
>
>     I contacted one of the people involved with CESR and I have
>     received a response.   This is what they say:
>
>     "Yes, this is a scan from our group. It is not in fact looking for
>     a vulnerability, but for a very specific infection.  The scan is
>     harmless, but there is a very rare and stealthy piece of malware for
>     which this scan will elicit a response (indicating that the server is
>     compromised and is awaiting instructions).  The scan is part of a
>     survey looking at how this particular threat actor has been targeting
>     different organizations. If the scan is causing a problem for
>     someone, please have them contact me and I can ask that their site be
>     removed from the scan."
>
>     I am waiting to hear back from him to see if there's away to tell
>     if you're actually vulnerable to this malware or not. The good
>     news is your site isn't under attack or anything. Once I hear back
>     from him, I'll let you know what he says.
>
>     Thanks!
>
>     On Fri, Jul 8, 2016 at 3:56 PM, Spork Schivago
>     <sporkschivago@gmail.com <ma...@gmail.com>> wrote:
>
>         I think I can shed a little light on this.   I believe it has
>         something to do with exploits / vulnerabilities.   I'm not
>         sure what the hex values are, but I'm guessing that's part of
>         the exploit.   I've tried searching for it but couldn't find
>         anything.   Maybe the query is confusing the search engines?
>
>         Anyway, the ip address....if you research that IP address, you
>         see that it resolves to: researchscan1.eecs.berkeley.edu
>         <http://researchscan1.eecs.berkeley.edu>
>
>         If you go there, you see the message:
>
>         Hello,
>
>         This is a research scanning machine from the University of
>         California at Berkeley. This machine regularly conducts scans
>         of the entire Internet so you may have been scanned as part of
>         an ongoing research project.
>
>         If you have been or are currently being scanned and would like
>         to opt out, please email cesr-scanning@lists.eecs.berkeley.edu
>         <ma...@lists.eecs.berkeley.edu> with the IP
>         ranges you would like to exclude in CIDR format and we will
>         respond immediately.
>
>
>
>         If you search google for the IP address, you see a lot of
>         people saying this IP address tried hacking into their site or
>         scanned it or something along those lines.   If I were to take
>         a guess, just a guess, I'd guess that maybe they're conducting
>         a large scan of the internet, trying to find servers that are
>         exploitable for research purposes.   You might be able to find
>         more information or someone more knowledgeable might be able
>         to provide better advice on what to do.
>
>         I've also googled cesr and found this:
>
>
>         Center for Evidence-based Security Research (CESR)
>         The Center for Evidence-based Security Research is an ongoing
>         collaboration with researchers at the University of
>         California, San Diego, seeking to understand modern Internet
>         threats and develop effective countermeasures using analysis
>         rooted in empirical observation.
>
>
>         I found that here:
>
>         https://www.eecs.berkeley.edu/Research/Areas/Centers/
>
>
>         To me, it seems like it's a valid research and they're not
>         actually trying to do bad stuff, they're just looking for
>         exploitable servers and making a list of the issues they
>         found.   I'd be more interested in knowing if they actually
>         got in.   If they found something, it's just a matter of time
>         before someone who really wants to do bad stuff finds the same
>         exploit and takes advantage of it.
>
>         I hope this helps.
>
>         Sincerely,
>         Ken
>
>
>         On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books
>         <info@redtailbooks.com <ma...@redtailbooks.com>> wrote:
>
>             Saw this in my access.log this morning...
>
>             169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
>             "^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
>             Can someone more knowledgeable explain what the "request"
>             was and why it was successful? And what 11k of data did
>             apache serve?
>
>             Thanks
>             dave
>
>
>
>


-- 
Red-Tail Books
204 N Florence St
Casa Grande, Az
520-836-0370

Re: [users@httpd] Strange access.log entry...

[Spork Schivago <sp...@gmail.com>]

Okay Red-Tail Books, I got more information for you!   This is the latest
response I got:

"The malware is installed via a range of vulnerabilities including
social engineering.  This scan is really testing for the malware's
rendezvous protocol for command and control.  As a rule, we have been
informing law enforcement about infected machines and they have been
doing victim notification and thus if your correspondent is infected
they will be contacted. However, I believe that this particular
malware works exclusively with IIS and thus an Apache user is unlikely
ot have much to worry about.   Unfortunately, I don't know the precise
meaning of the string or what it elicits and Paul (cc'd) who is the
grad student lead on this project is currently away on his honeymoon,
but I'm sure we can respond more succinctly once he returns"

So, it seems that you're in the clear and have nothing to worry about,
mainly because you're running Apache and not IIS.   I wish I could answer
what the actual hex string means and what Apache responded with.   Perhaps
when Paul gets back from his honeymoon, we'll receive an answer.

Best of luck.

Ken.

On Fri, Jul 8, 2016 at 5:32 PM, Spork Schivago <sp...@gmail.com>
wrote:

> I contacted one of the people involved with CESR and I have received a
> response.   This is what they say:
>
> "Yes, this is a scan from our group.  It is not in fact looking for
> a vulnerability, but for a very specific infection.  The scan is
> harmless, but there is a very rare and stealthy piece of malware for
> which this scan will elicit a response (indicating that the server is
> compromised and is awaiting instructions).  The scan is part of a
> survey looking at how this particular threat actor has been targeting
> different organizations.  If the scan is causing a problem for
> someone, please have them contact me and I can ask that their site be
> removed from the scan."
>
> I am waiting to hear back from him to see if there's away to tell if
> you're actually vulnerable to this malware or not.  The good news is your
> site isn't under attack or anything.  Once I hear back from him, I'll let
> you know what he says.
>
> Thanks!
>
> On Fri, Jul 8, 2016 at 3:56 PM, Spork Schivago <sp...@gmail.com>
> wrote:
>
>> I think I can shed a little light on this.   I believe it has something
>> to do with exploits / vulnerabilities.   I'm not sure what the hex values
>> are, but I'm guessing that's part of the exploit.   I've tried searching
>> for it but couldn't find anything.   Maybe the query is confusing the
>> search engines?
>>
>> Anyway, the ip address....if you research that IP address, you see that
>> it resolves to: researchscan1.eecs.berkeley.edu
>>
>> If you go there, you see the message:
>>
>> Hello,
>>
>> This is a research scanning machine from the University of California at
>> Berkeley. This machine regularly conducts scans of the entire Internet so
>> you may have been scanned as part of an ongoing research project.
>>
>> If you have been or are currently being scanned and would like to opt
>> out, please email cesr-scanning@lists.eecs.berkeley.edu with the IP
>> ranges you would like to exclude in CIDR format and we will respond
>> immediately.
>>
>>
>> If you search google for the IP address, you see a lot of people saying
>> this IP address tried hacking into their site or scanned it or something
>> along those lines.   If I were to take a guess, just a guess, I'd guess
>> that maybe they're conducting a large scan of the internet, trying to find
>> servers that are exploitable for research purposes.   You might be able to
>> find more information or someone more knowledgeable might be able to
>> provide better advice on what to do.
>>
>> I've also googled cesr and found this:
>>
>>
>> Center for Evidence-based Security Research (CESR)
>> The Center for Evidence-based Security Research is an ongoing
>> collaboration with researchers at the University of California, San Diego,
>> seeking to understand modern Internet threats and develop effective
>> countermeasures using analysis rooted in empirical observation.
>>
>>
>> I found that here:
>>
>>  https://www.eecs.berkeley.edu/Research/Areas/Centers/
>>
>>
>> To me, it seems like it's a valid research and they're not actually
>> trying to do bad stuff, they're just looking for exploitable servers and
>> making a list of the issues they found.   I'd be more interested in knowing
>> if they actually got in.   If they found something, it's just a matter of
>> time before someone who really wants to do bad stuff finds the same exploit
>> and takes advantage of it.
>>
>> I hope this helps.
>>
>> Sincerely,
>> Ken
>>
>>
>> On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books <in...@redtailbooks.com>
>> wrote:
>>
>>> Saw this in my access.log this morning...
>>>
>>> 169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
>>> "^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
>>> Can someone more knowledgeable explain what the "request" was and why it
>>> was successful? And what 11k of data did apache serve?
>>>
>>> Thanks
>>> dave
>>>
>>
>>
>

Re: [users@httpd] Strange access.log entry...

[Spork Schivago <sp...@gmail.com>]

I contacted one of the people involved with CESR and I have received a
response.   This is what they say:

"Yes, this is a scan from our group.  It is not in fact looking for
a vulnerability, but for a very specific infection.  The scan is
harmless, but there is a very rare and stealthy piece of malware for
which this scan will elicit a response (indicating that the server is
compromised and is awaiting instructions).  The scan is part of a
survey looking at how this particular threat actor has been targeting
different organizations.  If the scan is causing a problem for
someone, please have them contact me and I can ask that their site be
removed from the scan."

I am waiting to hear back from him to see if there's away to tell if you're
actually vulnerable to this malware or not.  The good news is your site
isn't under attack or anything.  Once I hear back from him, I'll let you
know what he says.

Thanks!

On Fri, Jul 8, 2016 at 3:56 PM, Spork Schivago <sp...@gmail.com>
wrote:

> I think I can shed a little light on this.   I believe it has something to
> do with exploits / vulnerabilities.   I'm not sure what the hex values are,
> but I'm guessing that's part of the exploit.   I've tried searching for it
> but couldn't find anything.   Maybe the query is confusing the search
> engines?
>
> Anyway, the ip address....if you research that IP address, you see that it
> resolves to: researchscan1.eecs.berkeley.edu
>
> If you go there, you see the message:
>
> Hello,
>
> This is a research scanning machine from the University of California at
> Berkeley. This machine regularly conducts scans of the entire Internet so
> you may have been scanned as part of an ongoing research project.
>
> If you have been or are currently being scanned and would like to opt out,
> please email cesr-scanning@lists.eecs.berkeley.edu with the IP ranges you
> would like to exclude in CIDR format and we will respond immediately.
>
>
> If you search google for the IP address, you see a lot of people saying
> this IP address tried hacking into their site or scanned it or something
> along those lines.   If I were to take a guess, just a guess, I'd guess
> that maybe they're conducting a large scan of the internet, trying to find
> servers that are exploitable for research purposes.   You might be able to
> find more information or someone more knowledgeable might be able to
> provide better advice on what to do.
>
> I've also googled cesr and found this:
>
>
> Center for Evidence-based Security Research (CESR)
> The Center for Evidence-based Security Research is an ongoing
> collaboration with researchers at the University of California, San Diego,
> seeking to understand modern Internet threats and develop effective
> countermeasures using analysis rooted in empirical observation.
>
>
> I found that here:
>
>  https://www.eecs.berkeley.edu/Research/Areas/Centers/
>
>
> To me, it seems like it's a valid research and they're not actually trying
> to do bad stuff, they're just looking for exploitable servers and making a
> list of the issues they found.   I'd be more interested in knowing if they
> actually got in.   If they found something, it's just a matter of time
> before someone who really wants to do bad stuff finds the same exploit and
> takes advantage of it.
>
> I hope this helps.
>
> Sincerely,
> Ken
>
>
> On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books <in...@redtailbooks.com>
> wrote:
>
>> Saw this in my access.log this morning...
>>
>> 169.229.3.91 - - [08/Jul/2016:05:44:24 -0700]
>> "^\x05A\xea\xa1\xfa\xbe\x15" 200 11434 "-" "-"
>> Can someone more knowledgeable explain what the "request" was and why it
>> was successful? And what 11k of data did apache serve?
>>
>> Thanks
>> dave
>>
>
>

Re: [users@httpd] Strange access.log entry...

[Spork Schivago <sp...@gmail.com>]

I think I can shed a little light on this.   I believe it has something to
do with exploits / vulnerabilities.   I'm not sure what the hex values are,
but I'm guessing that's part of the exploit.   I've tried searching for it
but couldn't find anything.   Maybe the query is confusing the search
engines?

Anyway, the ip address....if you research that IP address, you see that it
resolves to: researchscan1.eecs.berkeley.edu

If you go there, you see the message:

Hello,

This is a research scanning machine from the University of California at
Berkeley. This machine regularly conducts scans of the entire Internet so
you may have been scanned as part of an ongoing research project.

If you have been or are currently being scanned and would like to opt out,
please email cesr-scanning@lists.eecs.berkeley.edu with the IP ranges you
would like to exclude in CIDR format and we will respond immediately.


If you search google for the IP address, you see a lot of people saying
this IP address tried hacking into their site or scanned it or something
along those lines.   If I were to take a guess, just a guess, I'd guess
that maybe they're conducting a large scan of the internet, trying to find
servers that are exploitable for research purposes.   You might be able to
find more information or someone more knowledgeable might be able to
provide better advice on what to do.

I've also googled cesr and found this:


Center for Evidence-based Security Research (CESR)
The Center for Evidence-based Security Research is an ongoing collaboration
with researchers at the University of California, San Diego, seeking to
understand modern Internet threats and develop effective countermeasures
using analysis rooted in empirical observation.


I found that here:

 https://www.eecs.berkeley.edu/Research/Areas/Centers/


To me, it seems like it's a valid research and they're not actually trying
to do bad stuff, they're just looking for exploitable servers and making a
list of the issues they found.   I'd be more interested in knowing if they
actually got in.   If they found something, it's just a matter of time
before someone who really wants to do bad stuff finds the same exploit and
takes advantage of it.

I hope this helps.

Sincerely,
Ken

On Fri, Jul 8, 2016 at 3:32 PM, Red-Tail Books <in...@redtailbooks.com>
wrote:

> Saw this in my access.log this morning...
>
> 169.229.3.91 - - [08/Jul/2016:05:44:24 -0700] "^\x05A\xea\xa1\xfa\xbe\x15"
> 200 11434 "-" "-"
> Can someone more knowledgeable explain what the "request" was and why it
> was successful? And what 11k of data did apache serve?
>
> Thanks
> dave
>