Possible attack attempt on webserver, how to decode the requests to find out?
-
27-05-2021 - |
سؤال
In my Apache access log I'm getting some requests like the following:
[some timestamp] [some ip] [my servers ip] 400 "x\x014\x8cO\v\x820\x18\xc6\xef\xc2\xbe\xc3{\xac\xc8\xa9\x87\x82\xf4$!\x19a\x04-:\xaf\xedU^X\xdbPQ\xf0\xd37\x0f]\x1e\xf8=\xff.\x95\x80\xa4\x95\x13)gy\x10\xa8\x85x$\x19\xcfXT*\x85~\xcca\x97\xec\xfe\x10WV9M\xb6\xcb\xa1[\xc8\xefAck\xe4\x88,:;kQ\x8d\xe4l\x0e7D\x1f\x97\x86\xa6\xe0\xd7n\b\x17\xf3<\xf3\x1e\xbd\x91"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\x9cS\xcbr\xda0\x14\xdd3\xc3?h\xd3N\x92F\xb6$\xcb/\x18O\x07l\xf3\b\x0f\xa7\xc14m7\x8c\xb0\x84qll\xc7\x98\xd0d\xfa\xf1\x15\x94\x94v\xdan\xba\xd2\xd5\xb9\xe7\xe8^]\x1d\xf5\xfd\x10\xa8\xab$\x13[5\xd9\xb0X.l\xa9\xae\x05\xe3\xa2\x82\\@\x96\xd5T)\xf3\x18\x0c\xc2\xf0V\xc5"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\xacU[o\xab8\x10~\xaf\xd4\xff\xc0K\xa5svORc \x81Vy\b\xd7$\x05\xa7\x10\x03\x81\x97"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\xacU[s\xaaH\x10~OU\xfe\x03/\xa9\xda\xcbQ\x87\x01T\x92\xf2A\xb9\xa9\x811 \x17\xe1%\x05\x0c*2 \x01\x94h\xe5\xc7\xef\xe0\x9e\x9cs\xf6\xec\xee\xcb\xd6\x96\x8e6\xdd_\xf7\xf4|\xdd\xf4h\x8a\xcd\x0c\xd2\"&'\x9c\xd4\x834\x0fw\xf4\xaf\xc2\x83\xa8)^\xeb\xb2J\x9b\x84\x1b\xf6\xcbb\xc7\xccm\xfbe\xc0\xf6\xd9\xfb\xbbi\x1c'e\xf3\xc8\xdc\xc0\x03j\xfb\xf2U\xac\xcf\xbb\xdf\xdfs\xf2\xf9\xf8\xdb\xd3\xdb\x04\xf4\xc7_\x98\xdf\x06\x7f\x8a\xc2\xa7oO)\xe2#N\x8b\xdd#\xb3\xbb\xa6\xe5\x17\x06'[\x126\xc97\xbb\x1e\x16\xbb\x13M\xe5\x91Z\xee\xef\xa4cQ$q\x93\x1e\x8bG\xe69I\xca\xde\x94\xa4\xe7\x9b\xfe\x98\xa5\x14#\xa9\vy\xb2\x8d\xd8-`y\xb6\x07\x841\xdf\xe3G\xf1\xb67\x1ec\xbe'\x80XH`\x84\x87\xe1\x88}\xa2P{\xf5\xac\xa0\txbdE\x9d:\xba\xad\xaf\xa4\xa9\xaeLp\xf2*+O\x8cah\xaf\xcf\x9eL\xe3\xb1\xfc\x10r=E\xe4\xa6\xcah6\xec\xc1\x99<\xec\xf1\xea\x90\xef\x89,\x90z\xb3!7\x94\x86"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\xacU[s\xaaH\x10~OU\xfe\x03/\xbbu\xf6\xecQ\x87\x01T\x92\xb2\xb6\x94\x9b\x1a\x18\x03r\x11^,`P\x91\x01\x89\xa2\xa8\x95\x1f\xbf\x83\x9b\xe4\\\xf7ek\x1f\xa6h\xba\xbf\x9e\xe9\xf9\xba\xe1\xd3\x14\x9b\xe9\xacR\x92\x1c:i\x1e\xae\xe9#\xc4\xa7e\x1a\xef\x96U\x9a'\xed\xb2X3c\xdb~\xee\xb0m\xf6\xfen\x18\xc7IY=07d\x87\xc6\xbe\xbc\x99\x87\xd3\xfa\xcfsN\xde_??\xbe\x0c@\xbb\xff\x85\xf9\xdc\xf9\xc7\x14\xdes[J\x11\xefpZ\xac\x1f\x98\xf55-\xbf08Y\x91\xb0J>\xe2zX\xac\x8f\xb4\x8e\x07\x1a\xb9\xbf\x93vE\x91\xc4U\xba+\x1e\x98\xa7$)[C\x92\x9en\xfe]\x96R\x8c\xa4N\xe4\xc1*bW\x80\xe5\xd9\x16\x10\xfa|\x8b\xef\xc5\xabV\xbf\x8f\xf9\x96"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\xacUko\xabH\x12\xfd\x1e)\xff\x81/\xbb\x9a\x19\rv\xf3\xb2\x8d#ke\xf3\xb2\x1dh\x07\xcc\xc3\xf0%\x02\xbam0\xcd#\x18\xc7\xb1\x95\x1f\xbf\x8d'\xf7\xde\x99;+\xad\xb4Z\xa1\x96\x9a\xaaS\xd5\xd5\xa7"
[some timestamp] [some ip] [my servers ip] 400 "x\x01\xacV[s\xaa\xc8\x16~OU\xfe\x03/\xa9\x9a\x99\xb3\xd5\xa6\x01\x95\xa4|Pnj\xa0\r\xc8ExI\x01\x8d\x8a4\x97 J\xb4\xf2\xe3O\xe3\xce\xde\x99\xd93\xf3r\xea\x94\x82\x8b^_\xaf^\xfd}\x8b\xd5j\x8a\xcd\x0c\xd2\"&'\x9c\x1c\x07i\x1e\xee\xe8O\x8d\x07QS\xbc\x1e\x93\xb0\x8e\xf7=\x92l\x9b~U\xec\x98\xb9m\xbf\x0c\xd8>{\x7f7\x8d\xe3\xa4j\x1e\x99\x1b~@}\xdf>\xcd\xe3y\xf7\x9f\xf7\x9c\xfcx\xfc\xe3\xe9m\x02\xfa\xe3o\xcc\x1f\x83\xef\xa6\xf0cnO)\xe2\x12\xa7\xc5\xee\x91\xd9]\xd3\xea\x1b\x83\x93-\t\x9b\xe4\xa7_\x0f\x8b\xdd\x89f\xf3H=\xf7wRY\x14I\xdc\xa4e\xf1\xc8<'I\xd5\x9b\x92\xf4|\x1b/\xb3\x94b$u!O\xb6\x11\xbb\x05,\xcf\xf6\x800\xe6{\xfc(\xde\xf6\xc6c\xcc\xf7\x04\x10\v\t\x8c\xf00\x1c\xb1O\x14j\xaf\x9e\x154\x01O\x8c\xac\xa8SG\xb7\xf5\x954\xd5\x95\tN^e\xe5\x891\x0c\xed\xf5\xd9\x93i<\x96\x1fB\xae\xa7\x88\xdcT\x19\xcd\x86=8\x93\x87=^\x1d\xf2=\x91\x05Ro6\xe4\x86\xd2\x10\xc0\x19u\xafY\x91\x1f\x8bp\xc8\x03\x81\xae\xf0b\xaddG\xb2\xd7\xaf\xeeb\xbd\xb0\x15y\xf2\x02"
[some timestamp] [some ip] [my servers ip] 400 "x\x01DP[o\xda0\x18}G\xe2?\xf8\tm\xa5\x8e\xe3\\!\x15\x9a \xa3\xed\xb4vB%\x15\xda\x132\xc9G\xb0bl\xcf15\xed\xaf\x9f\xa3i\xdb\xa3\xcf\xc5\xdf9\xe7a]!\xa2\x8dj.\x9d%\x9b0\x8c\xf2|\x16\x91w&\xa1\xc6RY8(\xd5a\xd6u\x17\xa2%I\xb2h6\x0fq\x9e\xd0\xe0d\xcf\xe2K\xe7\x9a=o\x16\xd4\xe31^\xcf\xe3\xe5:_e8Z}\xcdpr\x9f%xN\xc3\x12\xaf\xb28+\xb30ZyzK\xf3tNi:\xcbR:ik\xe1\xcd\xe5\xd3n#\xdf\"\x17\xffJ\xca\xfb\x9f\xbd\x8b\x9dj\xe2Wfv\x0e=V\xd5\x86\xd0\x80\x8eG\xcb\xba\x06m\vd\xe1j\xc9p\xfa\x161\xad\x05\xaf\x99\xe5J\x92\xeb"
[some timestamp] [some ip] [my servers ip] 501 "x\x014L\xcb"
Is this an attack attempt, if so what kind? How would I decode this? It looks like part hexadecimal
To be clear a normal line in my log file would look something like this:
[some timestamp] [some ip] [my servers name] 200 "GET /path/to/something.html HTTP/1.1"
Since the server is responding with a status 400
I'm guessing the so called attack is not working, but I'm still curious as to what is actually happening here.
المحلول
This is hex encoding. Supported for strings in for instance javascript. In firebug or chrome dev console you could do: console.log('ATTACK_STRING'). Replace ATTACK_STRING excluding quotes with a line from your log.
لا تنتمي إلى StackOverflow