On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@xxxxxxxxxxx> wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday about this:
https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/
if I try `openssl s_client -connect localhost:14020`, I get the below
entry in my access.log,
which matches the description in the diary:
127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
"\x16\x03\x01\x01,\x01" 400 226 "-" "-"
this, however, is something completely different. I'd also guess it's some kind
of vulnerability scan:
> IP
> 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
> "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
> 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
> "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
> 200 48605
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|