1

Unfortunately I'm too newbie to search for the answer to this question or even how to phrase it properly since I don't know what I'm looking at.

This is what I see in my nginx access.log. Obviously I can pick out the IP address and date. But the argument after the \x isn't always hex. Or is this a mixture of unicode representation and actual ASCII chars?

Obviously nginx thinks this is nonsense (malformed return code). But I'd like to know what is going on. All the IP addresses are for ISPs, so I can't really block them at the risk they are dynamic. 

68.197.228.104 - - [07/Aug/2016:06:41:41 +0000] "\x9F\x00\x00\x00B\xF3Z\xC7\xDB\xC9b\xC7\xDD=\xE2\xB4m0+\x9E\xA8\x1E\xC5)Z\xDD\xFAD=}\x9E\xE1!\xBA\xE0\xFB\xA0\xA0Z|\xC1K\xBA\xC1\xD1\xD8\xA7\x8C\xD47YrG\xB0\xB4C\x1Fo\x80\xD8\x15\x088\x1B4\xBE\x02z7\x85s\x9753\xA2M\xAC\x22\x5C\x04{4F\x87[\xFD\x17\xFCE\x82}~\x99z\x9D\x87T\xA1\xBB\x89\x8F\xF7/\xD9\xB7g\xF2\x14/\xC7x\xDC\xBElg\xF50\x06;\xE0'\xF3|\xF6\xAD\xBB\x87\xE0\xE2\x8F\x12\x8C\x8B'*\xF6c\xB5\xC9D\xF1\x1Ay!\xAA\xC8\xDA\xEF\xFA\xDEw\x08g\x9B\x1A$<`\x93!~ ^" 400 173 "-" "-"

172.56.30.114 - - [07/Aug/2016:08:55:36 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x034\xA9\x06\x18\xAE\x96 \x0F\xDD\xAA7\x05\x16\xCA\xE9\xE0A69\xE7P\xAB\xCC\xEFB\xBB)yQ\xFE\x00\x00\xA8\x00\x05\x00\x04\x00\x15\x00\x16\x003\x009\x00:\x00\x1A\x00\x18\x005\x00\x09\x00" 400 173 "-" "-"

I'm un-answering my answer. While that university was a source of such characters, it is apparently not the only source if you check the IP addresses. Here is a fresh entry from the nginx access.log

75.120.80.102 - - [17/Aug/2016:17:56:54 +0000] "\x9F\x00\x00\x00B\xF3Z\xC7\xDB\xC9b\xC7\xDD=\xE2\xB4m0+\x9E\xA8\x1E\xC
5)Z\xDD\xFAD=}\x9E\xE1!\xBA\xE0\xFB\xA0\xA0Z|\xC1K\xBA\xC1\xD1\xD8\xA7\x8C\xD47YrG\xB0\xB4C\x1Fo\x80\xD8\x15\x088\x1B4
\xBE\x02z7\x85s\x9753\xA2M\xAC\x22\x5C\x04{4F\x87[\xFD\x17\xFCE\x82}~\x99z\x9D\x87T\xA1\xBB\x89\x8F\xF7/\xD9\xB7g\xF2\
x14/\xC7x\xDC\xBElg\xF50\x06;\xE0'\xF3|\xF6\xAD\xBB\x87\xE0\xE2\x8F\x12\x8C\x8B'*\xF6c\xB5\xC9D\xF1\x1Ay!\xAA\xC8\xDA\
xEF\xFA\xDEw\x08g\x9B\x1A$<`\x93!~ ^" 400 173 "-" "-"

This is interesting. Note the request to ipip.net prior to the non-sense characters. It got a 444 (reply is the first parameter) because it triggers some code I put in nginx, though I'm not really sure why it appears at all since I am not going to relay the request.

444 139.162.13.205 - - [26/Aug/2016:12:04:52 +0000] "GET http://clientapi.ipip.net/echo.php?info=20160826200452 HTTP/1
.1" 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64)" "-"

400 139.162.13.205 - - [26/Aug/2016:12:04:53 +0000] "\x00\x9C\x00\x01\x1A+<M\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x
00\x01\x00\x00\x00\x01\x00\x00" 173 "-" "-" "-"

400 139.162.13.205 - - [26/Aug/2016:12:04:53 +0000] "\x05\x02\x00\x02" 173 "-" "-" "-"

400 139.162.13.205 - - [26/Aug/2016:12:05:04 +0000] "\x04\x01\x1F\x00\x00\x00\x00\x00\x00" 173 "-" "-" "-"
David W
  • 3,469
  • 6
  • 38
  • 63
gariac
  • 46

3 Answers3

1

That is a mixture of standard ASCII characters and hex-encoded characters. For example, in the start of first request, \x00B is null byte and ASCII B. The purpose of this is to encode the request in such way that the attack would not be detected by the protection software on the server.

Tero Kilkanen
  • 37,584
  • That is sort of what I figured. But what do the bytes represent? That is, 0x9f is not a character in ASCII. I'd like to convert the sequence to something readable. – gariac Aug 09 '16 at 07:47
  • This could also be a split request, where the previous request was too long and this is continuation of the first request. Most likely this is some binary data that cannot be converted to anything readable. – Tero Kilkanen Aug 09 '16 at 08:47
  • It can be also some exploit attempt. – Tero Kilkanen Aug 09 '16 at 08:55
  • How would such a string be sent? I don't see any "verb" from a browser. Not even curl. I tried a netcat to my port 80 using echo to send the string. It didn't even make it to the access log. – gariac Aug 10 '16 at 01:08
  • Did you check the previous request in access.log? As I told in earlier comment, it could be a split request where a request is long enough that nginx splits it into two entries in access.log. – Tero Kilkanen Aug 10 '16 at 08:11
  • For that incident and the one I found today, the request doesn't appear to be split. I don't rollover my access log. I just look at it for odd stuff then wipe it out, so I am sure the request isn't split. Here is the latest:137.226.113.4 - - [14/Aug/2016:01:20:55 +0000] "\x16\x03\x01\x00|\x01\x00\x00x\x03\x03\xF1\xC7\x83\xCE\x11M\xB4n\xB8\x B4j$0\xE4sq\xB2?t=\xC2\xAB\xAE\x03\xCFP[4\xBC\xF0\xE6\x5C\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x1 4\xC0" 400 173 "-" "-" https://www.abuseipdb.com/check/137.226.113.4 – gariac Aug 14 '16 at 08:01
  • Clearly I can't read. Some of this odd junk is not coming from that university CIDR. Here is a fresh one today: – gariac Aug 18 '16 at 00:46
0

RWTH Aachen University Internet-Wide Scanning Research

OK, problem solved.

"Can I request that my server be excluded? To have your host or network excluded from future scans conducted by RWTH Aachen University, please contact researchscan@comsys.rwth-aachen.de with your IP address or CIDR block. Alternatively, you can configure your firewall to drop traffic from the subnet we use for scanning: 137.226.113.0/24."

Full text at the link. It is a so-called research project.

Greg Dubicki
  • 1,331
gariac
  • 46
0

You can add a rule into fail2ban to reduce these complex attack strings.

Please take a look at my answer here:

https://stackoverflow.com/questions/46254721/regex-for-detecting-complex-attack-strings-on-web-sites

Lingster
  • 101