3

So I found this in my logs earlier today:

174.0.111.178 - - [17/Feb/2013:17:39:49 -0900] "k\x8a4\x8f\x9f\x1c\xfb\xb9\xf4\xb8\x97CI\xa3w\xeb\xf9\xb2\xb4\b\xb9\x04\x05\xe1M\x88C\xde\xed<\x13\b\xfd\b\x9d\xb047\xe5k\x87\r\xc6\x1a\xab\x16b" 400 301 "-" "-"

Also this from the error log (same request):

[Sun Feb 17 17:39:49 2013] [error] [client 174.0.111.178] Invalid URI in request k\x8a4\x8f\x9f\x1c\xfb\xb9\xf4\xb8\x97CI\xa3w\xeb\xf9\xb2\xb4\b\xb9\x04\x05\xe1M\x88C\xde\xed<\x13\b\xfd\b\x9d\xb047\xe5k\x87\r\xc6\x1a\xab\x16b

Does anyone know what that means? I think its some kind of hex code or something but just was interested because I get one of these every few days or so, and also if it was potentially dangerous.

user160606
  • 33

1 Answers1

3

They are non-printable characters in the HTTP request. It could be someone trying to exploit your server or as harmless as a request containing multi-byte unicode characters.

The Apache mod_log_config manual explains the format:

For security reasons, starting with version 2.0.46, non-printable and other special characters in %r, %i and %o are escaped using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte.

Thiago Figueiro
  • 830
  • 1
  • 6
  • 18
  • 1
    Though it could in theory be an exploitation attempt (maybe a buffer overflow), that isn't very likely. And there is no evidence suggesting the server is vulnerable. It cannot be a request containing UTF-8 for two reasons: There is no HTTP request method, so the client isn't even speaking HTTP. Additionally the first byte with the high bit set would be a continuation character in UTF-8, so the data isn't valid UTF-8. A much more plausible explanation simply is that the client is speaking a completely different protocol than HTTP. That produce some noise in the log, but is otherwise harmless. – kasperd Nov 01 '18 at 18:39