It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It started a few months back with the Berkeley University Scanner who are researching by sending out a string like that and then seeing what response they get. It’s to check for some kind of exploit. Their IP for their scanner is 169.229.3.91 but now in the last 8 weeks I am seeing the same string coming in from numerous other IP addresses. I no longer run Apache after 9 years of using it, Nginx is unaffected completely in any way by that kind of buffer overflow string but I cannot speak for Apache anymore personally as I switched over 4 months ago due to numerous issues with Apache I could not handle anymore. My one problem is that Apache as per your logs (I had the same in my apache logs) gives a 200 “OK” response whereas Nginx responds to that with a 400 “Bad Response”. So exactly what that flaw or web server that string is intended to exploit is still unknown to me but still keeping a close eye on it daily. I personally have felt since I first started noticing it that it is perhaps targeting Apache but I that is merely a whim and I have nothing concrete to back that up. For more info from on the Berkeley scanner project Visit http://169.229.3.91/ for more info. They do respond to emails and if you want them to not scan your server you just ask. But as I say it’s not just them running that exploit now, it comes from IP’s all over. KR Mitchell From: Tawasol Go <tawasolgo@xxxxxxxxx> Reply: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx> Date: 05 October 2016 at 12:01:58 PM To: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx> Subject: [users@httpd] Unknown accepted traffic to my site
|
|