# Strange requests in Apache error log

## jerann

So today I was working on some php coding on my local development server. Lately I've been using tail -f on my Apache log to see php errors as they come up, and I noticed the following line popup:

```

[Sun Oct 31 16:53:10 2010] [error] [client 65.27.237.194] Invalid method in request \x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B

```

I don't recognize 65.27.237.194 (it's not me), and I don't really understand the error. I never paid very close attention to my Apache log before, but I saw several  other similar lines in the log when I checked just now. Is that anything I should be worried about?

----------

## BradN

Looks like an exploit attempt of some kind.  Probably if you're seeing an error, it's not successful, but I really don't know enough to say for sure.

----------

## jerann

Well, I checked back, and it looks like I've got requests that look like that going back for a couple of years from different IP addresses. If it's some kind of attack or exploit, it's been going on for a long time (since the pretty much the start of the log in Feb 2009).

Does anything in particular make it look like an attack, or just the fact that something unusual is in the error log?

----------

## NeddySeagoon

jerann,

\x8e\xe1,\x14\x14H\xe9j:\xa9\xcc\x1d\xae\xf6\xbf>B  is a string of hex characters.

There is no reason to have that in any legitimate request.  Its probably 'shell code'.  That is a piece of program that the attacker would like executed.

All the more reason to run an odd arch as a server, since even if the request were to succeed, the shell code won't run and the attack will still fail.

----------

## jerann

I have some more information. I checked /var/log/apache2/access_log and saw quite a few odd entries in there as well. I filtered out everything that wasn't a GET or POST request and ended up with a 993-line file. The top might shed some light on it:

```

61.178.166.94 - - [08/Feb/2009:02:54:50 -0600] "\x13BitTorrent protocol" 400 285

58.217.190.50 - - [08/Feb/2009:02:55:19 -0600] "\x0e'\xd5\xd3Zc\x05\x93#M&\x02\xefa\x89q" 501 291

```

Those were the very first 2 lines that weren't typical GET/POST requests that are legit. That "BitTorrent" part could have something to do with it... I don't regularly use BitTorrent myself, and why would anything be happening over port 80 for that anyway?

I also saw some like this:

```

209.30.39.114 - - [02/Jun/2010:01:16:31 -0500] "SEARCH /\x90\xc9\xc9 ... (incredibly long list of \xc9s snipped)... \x90\x90\x90\x90 ... (incredibly long list of \x90s snipped)... \x90" 414 309

```

In total the string itself was 28124 characters (after the \ and before the end quote). There were several that looked like that. I guess I'm just wondering... does this look like an attack targeted specifically at my server, or is this some kind of random script probing the Internet for vulnerable servers? I have a dynamic IP address (just a home connection), but I set up a dns through dyndns to point to my server for convenience. Does anyone else with an Internet-facing server get stuff like this? For the most part, I'm the only one who connects to this server that I know of. I also haven't noticed any problems, so unless I'm unwittingly part of a botnet or something, this appears to be harmless.

----------

## NeddySeagoon

jerann,

61.178.166.94 and 58.217.190.50 are both in China

209.30.39.114 is in the USA

I suspect the attacks are not targeted - they will be scripts scanninig the IPv4 address space, then testing anything open on port 80.

The machines the attacks come from may well be compromised.  The cynic in me suggests that complaining to abuse@ in china won't help but I have had a good response from US ISPs when I've reported possibly compromised systems.

----------

## jerann

Well, for the moment I've swapped my apache port and let my router block all other ports. I haven't had any other unusual requests on it in the last few days since I did that, so I'll keep an eye on it, but otherwise I'm not too worried. Thanks  :Smile: 

----------

