Hits comes from all over the world, without DNS entry found. Hits come from more than 500 IPs from Jan. 2016.
Other samples: with codes like 400, 408 and 404 0.0.0.0 - - [06/Oct/2016:11:12:08 +0300] "\x8bL\xb0Ri\x8f\x03\xb5\x1f)wI\x92\xfc\xa8\x97B\xcbH4\xaa#\xc1\x17'\xa6\xec3#\t\xed\xc4}[\x14w\xef\xcd\xe8" 400 226 0.0.0.0 - - [06/Oct/2016:10:54:47 +0300] "\xae\x95\\_t\xfc\v\x94\xcbU\x143\xdd\xac$\x92\x1e\xb2!\x8d\xb3\xfd\xf4\xdf:\xa1 \x11u\xc89v" 408 221 where I blocked the IPs that send such traffic in-case they are trying to inject something to the server. On Thu, Oct 6, 2016 at 11:08 PM, Anthony Biacco <abia...@handll.com> wrote: > > > On Thu, Oct 6, 2016 at 8:47 AM, Spork Schivago <sporkschiv...@gmail.com> > wrote: > >> >> There's away to do a reverse IP lookup on the IP address and see if >> there's a DNS entry for it. That's how I was able to successfully figure >> out who the senders were (Berkeley) originally. I used dig I believe. I >> don't have access to my Linux box right now, otherwise I'd check to see if >> the IP addresses are actually from Berkeley. There's always a chance that >> they're using more than one server / IP now to conduct the scanning. I >> believe they were originally trying to scan the whole internet. >> >> > based on the IP of 169.229.3.91 given by Mitchell: > > 91.3.229.169.in-addr.arpa. 9787 IN PTR > researchscan1.EECS.Berkeley.EDU. > > University of California - Office of the President UCSD-NET-169-228 > (NET-169-229-0-0-1) 169.229.0.0 - 169.233.255.255 > University of California at Berkeley ISTDATA (NET-169-229-0-0-2) > 169.229.0.0 - 169.229.255.255 > > -Tony > > > > They had said it's a very specific type of malware that only affects IIS >> to their knowledge. If you're not running a Windows server running IIS, >> you should be good to go. >> >> On Thu, Oct 6, 2016 at 8:27 AM, Rainer Canavan < >> rainer.cana...@sevenval.com> wrote: >> >>> On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller <jmul...@arccorp.com> wrote: >>> > From the looks of it I would say it is targeting servers running SSL. >>> Are >>> > you serving up HTTP or HTTPS ? >>> >>> I don't think that that is valid SSL, unless your httpd discards the >>> first few bytes. >>> There was a SANS handler diary entry just yesterday about this: >>> >>> https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTT >>> P+Servers/21551/ >>> >>> if I try `openssl s_client -connect localhost:14020`, I get the below >>> entry in my access.log, >>> which matches the description in the diary: >>> >>> 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - >>> "\x16\x03\x01\x01,\x01" 400 226 "-" "-" >>> >>> this, however, is something completely different. I'd also guess it's >>> some kind >>> of vulnerability scan: >>> >>> > IP >>> > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] >>> > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 >>> > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] >>> > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xd >>> a\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" >>> > 200 48605 >>> >>> Rainer >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >>> >> >