Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: strange logfile entries |
|
| Author |
|
KingNED
Joined: 04 Nov 2010
Posts: 2
|
 Posted: Thu 04 Nov '10 15:07 Post subject: strange logfile entries |
 |
|
Hello,
Been looking for this for quite some time now, found some similar results but no real luck with it.
I've been having some rather 'odd' Apache log entries:
Running Apache by WAMP on Windows Server 2008
| Code: |
85.144.138.88 - - [27/Oct/2010:22:12:00 +0200] "\xb2q{\xe5x\xbf\x17\xdc\x88\x07m<\xcf\x9d\x1cn\x87\x1dv\xd1\xf1a%Afh\xe3\x19" 200 54
83.83.80.49 - - [29/Oct/2010:19:39:54 +0200] "\xf2\xed4U6A\xa6\xdb\xa4\x0f\xcdXl\x8cP\xc0f\xea" 200 54
129.16.202.93 - - [03/Nov/2010:10:50:22 +0100] "\xcf\xd3@\xa3\x86\xa4\xa5\xc6HPka\xeb\x99\xf0_\x03\x99\xccty\xba;\x97\x9d-\x9ah\x9a\xfe\x8f\xbe\xcc\x9d\xe5\x86\x94\\?" 200 54
218.65.86.80 - - [29/Oct/2010:16:33:29 +0200] "GET http://www.baidu.com/ HTTP/1.1" 200 54
|
The first few seem really odd to me, the last one i think, is someone trying to use my server as a proxy, though i get mixed results on that, since i have some other attempts like that returning a 404...
What worries me is they all return HTTP 200 (valid request).
Could you help me with this?
Thanks in advance. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 05 Nov '10 20:04 Post subject: |
|
|
Someone tried to insert malcode. That's hex code. Often named shell code. In worst case it will be executed from apache. Keep your apache up to and you are mostly safe. I can think of that someone scanned your server and noticed that it is a windows server. Cause I've seen a simular injection code or IIS server. But I don't know that for sure.
Only the last request you posted someone tried to use your server as proxy. If you haven't enbale proxy module there is nothing to worry about that at all. |
|
| Back to top |
|
KingNED
Joined: 04 Nov 2010
Posts: 2
|
| Posted: Fri 05 Nov '10 20:46 Post subject: |
|
|
All the proxy modules are disabled, so that shouldn't be a problem?
what still bothers me is the hex code that is trying to be injected, sometimes getting a HTTP 400, sometimes a HTTP 200.
94.212.18.38 - - [05/Nov/2010:12:28:06 +0100] "P\x18\xe6\xc1\xc4~=W:v 2\vR\x83\xa1" 400 226
77.248.168.160 - - [05/Nov/2010:17:22:44 +0100] "\xce8\xc9\xe2=o~\x1as\xa9\x027\xc9\x91t\x07o\x14\xd4\x84\xaf\xcdjf\x843\xe1\xc3\x1a\xd8f:" 200 54
how can i defend myself from these things, blocking ip's isn't a real solution since then innocent users could be banned from visiting. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 05 Nov '10 21:55 Post subject: |
|
|
| Maybe you check out mod_security. Can also be found on this download page. |
|
| Back to top |
|
|
|
|
|
|
