OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
4.7 base apache access file has strange characters

From: Siju George (sgeorge.mlgmail.com)
Date: Wed Aug 04 2010 - 00:35:33 CDT


Hi,

 I exposed the base apache chrooted on one of my 4.7 systems to the
internet yesterday.
I found these strange line in /var/www/logs/access_log

============================================================================================

122.169.7.58 - - [04/Aug/2010:09:41:18 +0530]
"\x8e<o?=M6o?=o?=$D[o?=Do?=o?=x89b:\x7f\x8efo?=\x93.\x80\x1d\x1c\vo?=-Xo?=\x99\b(6rko?=No?=\x16&o?=o?=[e:F\x0f\x0ca'ho?=\x82\x82vo?=Ro?=
400 299
122.175.77.144 - - [04/Aug/2010:09:41:27 +0530]
"yo?=o?={6K\x1co?=P3o?=[K/=o?=eo?=x83o?=o?=o?=S\x06o?=" 501 -
122.173.243.140 - - [04/Aug/2010:09:44:44 +0530]
"\x9dU*\x81o?=\x134\x98o?=Io?=o?=\ro?=h\x85~jao?=x8f\x8b\x8e\x89o?=\x8eo?=o?=u\vo?=o?=3YSr%\x85(o?=yjo?=x8b"
400 299
59.145.141.102 - - [04/Aug/2010:09:54:27 +0530]
"\x83\x98o?=\x0fo?=o?=\x06o?=\x14\x91i,co?=Qo?=\x85o?=Vo?=o?=" 501 -

=============================================================================================

What are they trying to access?

in PF only 80 ( and not 443 ) port is exposed to the internet with the rule.

pass in log (all, to pflog5) quick on sk0 inet proto tcp from any to
(sk0) port = www flags S/SA keep state label " # Restricted WWW access
from outside"

thanks :-)

--Siju