On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmul...@arccorp.com> wrote: > From the looks of it I would say it is targeting servers running SSL. Are > you serving up HTTP or HTTPS ?
I don't think that that is valid SSL, unless your httpd discards the first few bytes. There was a SANS handler diary entry just yesterday about this: https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/ if I try `openssl s_client -connect localhost:14020`, I get the below entry in my access.log, which matches the description in the diary: 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - "\x16\x03\x01\x01,\x01" 400 226 "-" "-" this, however, is something completely different. I'd also guess it's some kind of vulnerability scan: > IP > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" > 200 48605 Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
