RE: Unknown accepted traffic to my site (Apache Users)

That could well be the case. I have two trap web sites set up which monitor this stuff and both the http and https get hit daily, in fact the non https site gets hit much more frequently. Still interested to know if anyone has any more in depth information on exactly what this type of exploit is. Can’t for the life of me find the reply I got from Berkeley on it.

Mitchell

https://mitchellkrog.com

From: Joe Muller <jmuller@xxxxxxxxxxx>
Reply: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>
Date: 05 October 2016 at 6:26:54 PM
To: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>, tawasolgo@xxxxxxxxx <tawasolgo@xxxxxxxxx>
Subject: RE: [users@httpd] Unknown accepted traffic to my site

From the looks of it I would say it is targeting servers running SSL. Are you serving up HTTP or HTTPS ?

From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It started a few months back with the Berkeley University Scanner who are researching by sending out a string like that and then seeing what response they get. It’s to check for some kind of exploit. Their IP for their scanner is 169.229.3.91 but now in the last 8 weeks I am seeing the same string coming in from numerous other IP addresses.

I no longer run Apache after 9 years of using it, Nginx is unaffected completely in any way by that kind of buffer overflow string but I cannot speak for Apache anymore personally as I switched over 4 months ago due to numerous issues with Apache I could not handle anymore.

My one problem is that Apache as per your logs (I had the same in my apache logs) gives a 200 “OK” response whereas Nginx responds to that with a 400 “Bad Response”.

So exactly what that flaw or web server that string is intended to exploit is still unknown to me but still keeping a close eye on it daily. I personally have felt since I first started noticing it that it is perhaps targeting Apache but I that is merely a whim and I have nothing concrete to back that up.

For more info from on the Berkeley scanner project Visit http://secure-web.cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopRLE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtPfvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/http%3A%2F%2F169.229.3.91%2F for more info. They do respond to emails and if you want them to not scan your server you just ask. But as I say it’s not just them running that exploit now, it comes from IP’s all over.

KR

Mitchell

From: Tawasol Go <tawasolgo@xxxxxxxxx>
Reply: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>
Date: 05 October 2016 at 12:01:58 PM
To: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>
Subject: [users@httpd] Unknown accepted traffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" 200 48605

Please advise.

Thanks,
Karim