There's away to do a reverse IP lookup on the IP address and see if there's a DNS entry for it. That's how I was able to successfully figure out who the senders were (Berkeley) originally. I used dig I believe. I don't have access to my Linux box right now, otherwise I'd check to see if the IP addresses are actually from Berkeley. There's always a chance that they're using more than one server / IP now to conduct the scanning. I believe they were originally trying to scan the whole internet.
They had said it's a very specific type of malware that only affects IIS to their knowledge. If you're not running a Windows server running IIS, you should be good to go.On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan <rainer.canavan@xxxxxxxxxxxx> wrote:On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmuller@xxxxxxxxxxx> wrote:
> From the looks of it I would say it is targeting servers running SSL. Are
> you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the
first few bytes.
There was a SANS handler diary entry just yesterday about this:
https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT P+Servers/21551/
if I try `openssl s_client -connect localhost:14020`, I get the below
entry in my access.log,
which matches the description in the diary:
127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] -
"\x16\x03\x01\x01,\x01" 400 226 "-" "-"
this, however, is something completely different. I'd also guess it's some kind
of vulnerability scan:
> IP
> 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300]
> "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 Rainer
> 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300]
> "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\ xda\xef6O\xa1~\x91[\xf2\x05E\ xac\xad\x8d\x9d\xbe\xf5\xfc\ xc5\"\xed\xa3u"
> 200 48605
------------------------------------------------------------ ---------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|