That's certainly quite interesting, thanks for the information. This
will be an interesting one to keep a watch on.
I am interested why your Apache responded with a 200 and Nginx just
dropped them with a 400.
I checked my Apache logs this morning and lo and behold found the same
IP but only in the main apache error.log for the default site on the
server. These strings do not appear in any of my actual web sites error
or access logs so it's only literally scanning IP addresses and not
actual web sites. So on my side Apache dropped it immediately with a
core:error and didn't even get to issuing a response.
Here's some of what I saw in my Apache error.log this morning
[Sun Apr 24 14:48:13.589669 2016] [*core:error*] [pid 13048] [client
*169.229.3.91*:35831] AH00126: *Invalid URI in request*
\x9d=X\x9eb\xc2\xa7a{\xb0<;'\xdcck\\\xc8!\x87{\xcfX*\x0c\xe6\xae\xac\xbe\x13\x1c\x85$
[Tue Apr 26 11:37:20.852667 2016] [*core:error*] [pid 6359] [client
*169.229.3.91*:46815] AH00135: *Invalid method in request*
\x11\xaf\\\xa8\xeeP\xa3W^\xb9P#E\xae\x94\x9eJ\xbd\x18E\xe7\xdeY\xb2\xb9\xe6\xb1-\xb4@\xd0\xecn\xe96<YX\xda36\x82\x1e\x16\xec\xbf\xc6{
Kind Regards
Mitchell
On 2016/07/09 12:56 AM, [email protected] wrote:
A guy on the apache user mailing list was able to talk with the guys
doing this scan, here is the response:
Okay Red-Tail Books, I got more information for you! This is the
latest response I got:
"The malware is installed via a range of vulnerabilities including
social engineering. This scan is really testing for the malware's
rendezvous protocol for command and control. As a rule, we have been
informing law enforcement about infected machines and they have been
doing victim notification and thus if your correspondent is infected
they will be contacted. However, I believe that this particular
malware works exclusively with IIS and thus an Apache user is unlikely
ot have much to worry about. Unfortunately, I don't know the precise
meaning of the string or what it elicits and Paul (cc'd) who is the
grad student lead on this project is currently away on his honeymoon,
but I'm sure we can respond more succinctly once he returns"
So, it seems that you're in the clear and have nothing to worry
about, mainly because you're running Apache and not IIS. I wish I
could answer what the actual hex string means and what Apache
responded with. Perhaps when Paul gets back from his honeymoon,
we'll receive an answer.
Best of luck.
Ken.
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
