Re: [users@httpd] Do these log entries show someone trying to hack in?

Fri, 24 May 2013 07:23:53 -0700 

On 24/05/2013 14:55, Jack Mcslay wrote:
These appear to be escaped characters from a binary blob, which could be someone trying to inject malicious code, but I really don't think apache has anything that makes it interpret hostnames as C-styled escaped strings. 

Em 24-05-2013 10:26, plot.lost escreveu:

I've been getting from error log entries about SNI and hostname are 
different, and in these cases the SNI used seems to be the correct 
hostname but with some extra data on the end, for example:



    Hostname www.example.com\xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80 
provided via SNI and hostname www.example.com provided via HTTP are 
different


In this case the extra data was \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

but there have been a number of different sets of data, such as:

    A\xe8\x84\xb4A\xc9\xa0\xe0\xa8\xbe\xed\x9c\xbc\xd4\x80

    \xdd\x98\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

    \xdd\x9a\xe2\xa4\x90\xe0\xaf\xb0\xcb\xb0

    \xdd\xa0\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8

    \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80

    \xe0\xb1\x82\xe6\xbb\x98\xdd\x99\xc4\x90


Does anyone have any idea as to what this might be for? Are there any 
known/possible exploits in Apache that this might be trying to use?



Server Version: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1a 
running on Ubuntu


Thanks in advance for any hints/advice.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




Thanks, I'm hopeing that nothing can be done using this, but it's always 
worrying to see something new like this appearing in the logs!



Could it not be possible that the data is being sent un-escaped (so as 
the raw byte values) and it is the log process that is escaping them as 
it writes the log entry?



These values don't seem to make any sense as UTF8 or UTF16 sequences, 
and I don't know enough about trying to decode x86 opcodes to see if 
that could be something that is trying to be executed somewhere.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to