Jason, Congratulations. You are the likely target of a kiddie script attempting a buffer overflow or "dot dot" variant. Check your error logs and your access logs to ensure that the attempts were not successful. You can expect 10-20 of these attacks per day. Larry Dr. Larry Burton Associate Professor Department of Electronics, Computers, and Information Technology School of Technology North Carolina Agricultural and Technical State University -----Jason Vas Dias <jason.vas.dias@xxxxxxxxx> wrote: ----- To: users@xxxxxxxxxxxxxxxx From: Jason Vas Dias <jason.vas.dias@xxxxxxxxx> Date: 05/31/2011 10:08AM Subject: strange encoded requests coming in to my server - like ' "\x80F\x01\x03\x01" ' ?? Now finally able to host a website on my home static-IP ADSL connection, using Linux (FC-14) apache httpd-2.2.17-1.fc14.x86_64 , with "IP-passthrough" and "Full NAT" enabled on the ADSL router so it assigns my host its own WAN address , I'm seeing these strange entries in the access log : 117.241.90.130 - - [31/May/2011:07:11:21 +0000] "\xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX\"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3" 501 354 "-" "-" 180.94.69.130 - - [31/May/2011:07:32:42 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 89.73.88.177 - - [31/May/2011:08:11:26 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 217.117.64.236 - - [31/May/2011:08:34:20 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 195.138.167.98 - - [31/May/2011:08:39:52 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 89.96.190.244 - - [31/May/2011:08:50:51 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 195.138.167.98 - - [31/May/2011:09:20:20 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 217.117.64.236 - - [31/May/2011:10:04:43 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 62.141.88.70 - - [31/May/2011:11:40:13 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 178.187.163.117 - - [31/May/2011:12:03:36 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 118.172.80.131 - - [31/May/2011:12:11:57 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 196.44.185.151 - - [31/May/2011:12:25:23 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 62.141.88.90 - - [31/May/2011:12:31:15 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 213.0.79.214 - - [31/May/2011:13:22:46 +0000] "\x80F\x01\x03\x01" 501 313 "-" "-" 127.0.0.1 - - [31/May/2011:13:58:44 +0000] "GET /manual/ HTTP/1.1" 200 7709 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre" 127.0.0.1 - - [31/May/2011:13:58:54 +0000] "GET /manual/logs.html HTTP/1.1" 200 33676 "http://127.0.0.1/manual/"; "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre" Can anyone please explain the meaning of these /var/log/httpd/access_log entries ? I guess this is just opportunist hosts trying to connect to port 80 / port 443 with a garbage protocol ? If so, why are log entries made in the access log and not in the error log ? Or is this some server misconfiguration ? Or perhaps some ADSL router issue ? Isn't there a log format that will print the server's socket address IP:PORT and / or VirtualHost name in the access log ? Can't seem to find it. Any suggestions much appreciated, Regards, Jason --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to third parties. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|