On Tuesday 31 May 2011 15:16:00 Larry W Burton wrote: > Jason, > Congratulations. You are the likely target of a kiddie script attempting a > buffer overflow or "dot dot" variant. Check your error logs and your access > logs to ensure that the attempts were not successful. You can expect 10-20 > of these attacks per day. > Larry > Much thanks for your swift & helpful response, Larry ! But I had the impression from reading the documentation that the "access_log" was to record actual ACCESSes , ie. for requests that at least pass the "is a valid HTTP request" test , and that non-requests, if logged at all, should appear only in the error_log . Indeed, for every such bad request received, I see error log entries like : [Tue May 31 07:11:22 2011] [error] [client 117.241.90.130] Invalid method in request \xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3 so this is definitely "not a request" - I wouldn't have expected anything about this event in the access log, because no "access" to anything resulted from this event . Thanks anyway - I guess I can just ignore these. All the best, Jason > Dr. Larry Burton > Associate Professor > Department of Electronics, Computers, and Information Technology > School of Technology > North Carolina Agricultural and Technical State University > > -----Jason Vas Dias <jason.vas.dias@xxxxxxxxx> wrote: ----- > > To: users@xxxxxxxxxxxxxxxx > From: Jason Vas Dias <jason.vas.dias@xxxxxxxxx> > Date: 05/31/2011 10:08AM > Subject: strange encoded requests coming in to my server - > like ' "\x80F\x01\x03\x01" ' ?? > > Now finally able to host a website on my home static-IP ADSL connection, > using Linux (FC-14) apache httpd-2.2.17-1.fc14.x86_64 , > with "IP-passthrough" and "Full NAT" enabled on the ADSL router so it > assigns my host its own WAN address , > I'm seeing these strange entries in the access log : > > 117.241.90.130 - - [31/May/2011:07:11:21 +0000] > "\xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX\"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3" > 501 354 "-" "-" > 180.94.69.130 - - [31/May/2011:07:32:42 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 89.73.88.177 - - [31/May/2011:08:11:26 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 217.117.64.236 - - [31/May/2011:08:34:20 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 195.138.167.98 - - [31/May/2011:08:39:52 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 89.96.190.244 - - [31/May/2011:08:50:51 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 195.138.167.98 - - [31/May/2011:09:20:20 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 217.117.64.236 - - [31/May/2011:10:04:43 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 62.141.88.70 - - [31/May/2011:11:40:13 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 178.187.163.117 - - [31/May/2011:12:03:36 +0000] "\x80F\x01\x03\x01" 501 > 313 "-" "-" > 118.172.80.131 - - [31/May/2011:12:11:57 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 196.44.185.151 - - [31/May/2011:12:25:23 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 62.141.88.90 - - [31/May/2011:12:31:15 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 213.0.79.214 - - [31/May/2011:13:22:46 +0000] "\x80F\x01\x03\x01" 501 313 > "-" "-" > 127.0.0.1 - - [31/May/2011:13:58:44 +0000] "GET /manual/ HTTP/1.1" 200 7709 > "-" "Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110415 > Firefox/4.0b13pre" > 127.0.0.1 - - [31/May/2011:13:58:54 +0000] "GET /manual/logs.html HTTP/1.1" > 200 33676 "http://127.0.0.1/manual/"; "Mozilla/5.0 (X11; Linux x86_64; > rv:2.0b13pre) Gecko/20110415 Firefox/4.0b13pre" > > Can anyone please explain the meaning of these /var/log/httpd/access_log > entries ? > > I guess this is just opportunist hosts trying to connect to port 80 / port > 443 with a garbage protocol ? > If so, why are log entries made in the access log and not in the error log > ? > > Or is this some server misconfiguration ? > Or perhaps some ADSL router issue ? > > Isn't there a log format that will print the server's socket address > IP:PORT and / or VirtualHost name in the access log ? > Can't seem to find it. > > Any suggestions much appreciated, > Regards, > Jason > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > NOTICE: This e-mail correspondence is subject to Public Records Law and may be disclosed to third parties. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|