On 24/05/2013 14:55, Jack Mcslay wrote:
These appear to be escaped characters from a binary blob, which could
be someone trying to inject malicious code, but I really don't think
apache has anything that makes it interpret hostnames as C-styled
escaped strings.
Em 24-05-2013 10:26, plot.lost escreveu:
I've been getting from error log entries about SNI and hostname are
different, and in these cases the SNI used seems to be the correct
hostname but with some extra data on the end, for example:
Hostname www.example.com\xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80
provided via SNI and hostname www.example.com provided via HTTP are
different
In this case the extra data was \xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80
but there have been a number of different sets of data, such as:
A\xe8\x84\xb4A\xc9\xa0\xe0\xa8\xbe\xed\x9c\xbc\xd4\x80
\xdd\x98\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8
\xdd\x9a\xe2\xa4\x90\xe0\xaf\xb0\xcb\xb0
\xdd\xa0\xee\xbd\xa0\xe0\xaf\xb5\xcf\xb8
\xe0\xb0\xaf\xe2\xbf\xa8.\xe2\xa8\x80
\xe0\xb1\x82\xe6\xbb\x98\xdd\x99\xc4\x90
Does anyone have any idea as to what this might be for? Are there any
known/possible exploits in Apache that this might be trying to use?
Server Version: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1a
running on Ubuntu
Thanks in advance for any hints/advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Thanks, I'm hopeing that nothing can be done using this, but it's always
worrying to see something new like this appearing in the logs!
Could it not be possible that the data is being sent un-escaped (so as
the raw byte values) and it is the log process that is escaping them as
it writes the log entry?
These values don't seem to make any sense as UTF8 or UTF16 sequences,
and I don't know enough about trying to decode x86 opcodes to see if
that could be something that is trying to be executed somewhere.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org