logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: strange logfile entries
Author
KingNED



Joined: 04 Nov 2010
Posts: 2

PostPosted: Thu 04 Nov '10 15:07    Post subject: strange logfile entries Reply with quote

Hello,

Been looking for this for quite some time now, found some similar results but no real luck with it.
I've been having some rather 'odd' Apache log entries:
Running Apache by WAMP on Windows Server 2008

Code:

85.144.138.88 - - [27/Oct/2010:22:12:00 +0200] "\xb2q{\xe5x\xbf\x17\xdc\x88\x07m<\xcf\x9d\x1cn\x87\x1dv\xd1\xf1a%Afh\xe3\x19" 200 54
83.83.80.49 - - [29/Oct/2010:19:39:54 +0200] "\xf2\xed4U6A\xa6\xdb\xa4\x0f\xcdXl\x8cP\xc0f\xea" 200 54
129.16.202.93 - - [03/Nov/2010:10:50:22 +0100] "\xcf\xd3@\xa3\x86\xa4\xa5\xc6HPka\xeb\x99\xf0_\x03\x99\xccty\xba;\x97\x9d-\x9ah\x9a\xfe\x8f\xbe\xcc\x9d\xe5\x86\x94\\?" 200 54

218.65.86.80 - - [29/Oct/2010:16:33:29 +0200] "GET http://www.baidu.com/ HTTP/1.1" 200 54


The first few seem really odd to me, the last one i think, is someone trying to use my server as a proxy, though i get mixed results on that, since i have some other attempts like that returning a 404...
What worries me is they all return HTTP 200 (valid request).

Could you help me with this?

Thanks in advance.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 05 Nov '10 20:04    Post subject: Reply with quote

Someone tried to insert malcode. That's hex code. Often named shell code. In worst case it will be executed from apache. Keep your apache up to and you are mostly safe. I can think of that someone scanned your server and noticed that it is a windows server. Cause I've seen a simular injection code or IIS server. But I don't know that for sure.

Only the last request you posted someone tried to use your server as proxy. If you haven't enbale proxy module there is nothing to worry about that at all.
Back to top
KingNED



Joined: 04 Nov 2010
Posts: 2

PostPosted: Fri 05 Nov '10 20:46    Post subject: Reply with quote

All the proxy modules are disabled, so that shouldn't be a problem?

what still bothers me is the hex code that is trying to be injected, sometimes getting a HTTP 400, sometimes a HTTP 200.

94.212.18.38 - - [05/Nov/2010:12:28:06 +0100] "P\x18\xe6\xc1\xc4~=W:vSad2\vR\x83\xa1" 400 226
77.248.168.160 - - [05/Nov/2010:17:22:44 +0100] "\xce8\xc9\xe2=o~\x1as\xa9\x027\xc9\x91t\x07o\x14\xd4\x84\xaf\xcdjf\x843\xe1\xc3\x1a\xd8f:" 200 54

how can i defend myself from these things, blocking ip's isn't a real solution since then innocent users could be banned from visiting.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 05 Nov '10 21:55    Post subject: Reply with quote

Maybe you check out mod_security. Can also be found on this download page.
Back to top


Reply to topic   Topic: strange logfile entries View previous topic :: View next topic
Post new topic   Forum Index -> Apache