Re: Do these log entries show someone trying to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24/05/2013 14:55, Jack Mcslay wrote:
These appear to be escaped characters from a binary blob, which could be someone trying to inject malicious code, but I really don't think apache has anything that makes it interpret hostnames as C-styled escaped strings. 

Em 24-05-2013 10:26, plot.lost escreveu:
I've been getting from error log entries about SNI and hostname are different, and in these cases the SNI used seems to be the correct hostname but with some extra data on the end, for example:
Hostname www.example.com\xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80 provided via SNI and hostname www.example.com provided via HTTP are different 

In this case the extra data was \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

but there have been a number of different sets of data, such as:

    A\xe8\x84\xb4A\xc9\xa0\xe0\xa8\xbe\xed\x9c\xbc\xd4\x80

    \xdd\x98\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

    \xdd\x9a\xe2\xa4\x90\xe0\xaf\xb0\xcb\xb0

    \xdd\xa0\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

    \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

    \xe0\xb1\x82\xe6\xbb\x98\xdd\x99\xc4\x90
Does anyone have any idea as to what this might be for? Are there any known/possible exploits in Apache that this might be trying to use?
Server Version: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1a running on Ubuntu 

Thanks in advance for any hints/advice.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Thanks, I'm hopeing that nothing can be done using this, but it's always worrying to see something new like this appearing in the logs!
Could it not be possible that the data is being sent un-escaped (so as the raw byte values) and it is the log process that is escaping them as it writes the log entry?
These values don't seem to make any sense as UTF8 or UTF16 sequences, and I don't know enough about trying to decode x86 opcodes to see if that could be something that is trying to be executed somewhere. 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux