# Apache: Strange HTTP GET request

## enigma_0Z

Hi all,

I've got an apache server running and I've got an IP running the following request on my server several times a day:

```
"GET / HTTP/1.0" 200 2365
```

Does anyone know what this is? And is it grounds to ban that IP?

----------

## savage

 *enigma_0Z wrote:*   

> Hi all,
> 
> I've got an apache server running and I've got an IP running the following request on my server several times a day:
> 
> ```
> ...

 

Don't think it's any reason to ban.

GET / tells you what file was requested - / means serve up whatever the default page of the webserver is

HTTP/1.0 is the request type.  There are HTTP/1.0 and HTTP/1.1  most browsers are 1.1, where probably most scripted applications are 1.0 (it's easier to send a request by hand)

200 means that the request was served without an error.

2365 means that there were 2365 bytes served.

----------

## enigma_0Z

K... here's another one:

```
 "SEARCH \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9

... several lines omitted ...

\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90

... several more lines omitted..." 414 319
```

Based on the previous information, you're saying that those numbers mean that this caused a 414 error, and returned 319 bytes?

This looks like a buffer overflow attempt.

----------

## cyblord

it does...

monitor your logs a bit longer, and if it continues, then deal with it

----------

## magic919

You can look at blocking IPs that do that stuff.  www.pettingers.org has a script to do it.

----------

## Monkeh

 *enigma_0Z wrote:*   

> K... here's another one:
> 
> ```
>  "SEARCH \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9
> 
> ...

 

It is. It's for an ancient version of IIS.

----------

## enigma_0Z

For that matter... does this string from my web server look suspicious? I'm gettting repeated hits from the same IP addresses every few minutes...

```
67.149.182.30 - - [01/Jun/2006:00:12:22 -0500] "GET / HTTP/1.0" 200 2365

67.149.43.164 - - [01/Jun/2006:00:13:24 -0500] "GET / HTTP/1.0" 200 2365

67.149.90.12 - - [01/Jun/2006:00:15:56 -0500] "GET / HTTP/1.0" 200 2365

67.149.57.10 - - [01/Jun/2006:00:36:52 -0500] "GET / HTTP/1.0" 200 2365

67.149.57.10 - - [01/Jun/2006:00:40:41 -0500] "GET / HTTP/1.0" 200 2365

67.149.228.133 - - [01/Jun/2006:00:41:30 -0500] "GET / HTTP/1.0" 200 2365

67.149.44.225 - - [01/Jun/2006:00:44:59 -0500] "GET / HTTP/1.0" 200 2365

67.149.225.224 - - [01/Jun/2006:01:14:01 -0500] "GET / HTTP/1.0" 200 2365

67.149.105.203 - - [01/Jun/2006:01:14:30 -0500] "GET / HTTP/1.0" 200 2365

67.149.225.224 - - [01/Jun/2006:01:33:12 -0500] "GET / HTTP/1.0" 200 2365

67.149.57.10 - - [01/Jun/2006:01:36:37 -0500] "GET / HTTP/1.0" 200 2365

67.149.228.133 - - [01/Jun/2006:01:51:46 -0500] "GET / HTTP/1.0" 200 2365

67.149.90.12 - - [01/Jun/2006:02:01:35 -0500] "GET / HTTP/1.0" 200 2365

67.149.57.10 - - [01/Jun/2006:02:05:19 -0500] "GET / HTTP/1.0" 200 2365

67.149.228.133 - - [01/Jun/2006:02:05:25 -0500] "GET / HTTP/1.0" 200 2365

67.149.44.225 - - [01/Jun/2006:02:05:31 -0500] "GET / HTTP/1.0" 200 2365

67.149.59.200 - - [01/Jun/2006:02:20:10 -0500] "GET / HTTP/1.0" 200 2365

67.149.59.200 - - [01/Jun/2006:02:25:28 -0500] "GET / HTTP/1.0" 200 2365

67.149.9.61 - - [01/Jun/2006:02:52:13 -0500] "GET / HTTP/1.0" 200 2365

67.149.9.61 - - [01/Jun/2006:03:08:19 -0500] "GET / HTTP/1.0" 200 2365

67.149.90.12 - - [01/Jun/2006:03:17:01 -0500] "GET / HTTP/1.0" 200 2365

67.149.59.200 - - [01/Jun/2006:03:23:10 -0500] "GET / HTTP/1.0" 200 2365

67.149.44.225 - - [01/Jun/2006:03:35:08 -0500] "GET / HTTP/1.0" 200 2365

67.149.10.11 - - [01/Jun/2006:03:37:07 -0500] "GET / HTTP/1.0" 200 2365

67.149.89.192 - - [01/Jun/2006:03:41:30 -0500] "GET / HTTP/1.0" 200 2365

67.149.59.200 - - [01/Jun/2006:03:45:25 -0500] "GET / HTTP/1.0" 200 2365

67.149.44.225 - - [01/Jun/2006:03:54:42 -0500] "GET / HTTP/1.0" 200 2365

67.149.9.61 - - [01/Jun/2006:03:56:10 -0500] "GET / HTTP/1.0" 200 2365

... trusted IP's omitted ...

67.149.90.12 - - [01/Jun/2006:04:03:08 -0500] "GET / HTTP/1.0" 200 2365

67.149.57.10 - - [01/Jun/2006:04:03:58 -0500] "GET / HTTP/1.0" 200 2365

67.149.225.224 - - [01/Jun/2006:04:10:58 -0500] "GET / HTTP/1.0" 200 2365

67.149.59.200 - - [01/Jun/2006:04:11:50 -0500] "GET / HTTP/1.0" 200 2365

67.149.44.225 - - [01/Jun/2006:04:20:13 -0500] "GET / HTTP/1.0" 200 2365

67.149.89.192 - - [01/Jun/2006:04:23:39 -0500] "GET / HTTP/1.0" 200 2365
```

----------

## savage

I expect you are getting blasted from compromised vinders boxen on wideopenwest.com's cable network.  Nothing a little iptables won't fix, though.  Also, I strongly suspect that any compromises that the vinders boxen try won't work on your apache / linux box.  One thing that is nice is the string match module for iptables.  Don't remember where to get it, but you can match specific strings (i.e. those hex numbers), and those packets will be dropped quietly while any other real traffic coming from that host won't be.

----------

## savage

okay, here it is.

http://www.netfilter.org/patch-o-matic/pom-extra.html

----------

