0

I recently got the following in my server logs:

70.190.xxx.xx - - [26/Sep/2010:19:03:17 -0500] "\xdcm5\xa1\x1a\xec\xa2\x7f\xc2\xab\x83<\xb5\xa3h\xb1^B\x88\x19K\xa5C\xcf\x15\x1a\xc1\x84\xe4\x8a]c\xdd\xe0\xc2e\x9f\x7f;M\xa0P\xfb\x8bo\xf6\xcb\x12\xdaq\x81\xb7\xf6\xe3N\xb5\x04`\"\\xcc" 200 4581 "-" "-"

and

70.190.xxx.xx - - [26/Sep/2010:19:10:54 -0500] "&\x9a\x18\x02\xef@2s;\xff\xea\x84" 200 4582 "-" "-"

Normally I wouldn't be concerned because I do get a lot of junk randomly hitting my server, but I've never seen anything like this one and the server is returning 200.

  • 1
    Out of curiosity, what does your server return when this URL is requested? You may need to use telnet and submit the HTTP 1.1 GET yourself since I think most browsers will "correct" such a URL. – Chris Nava Sep 27 '10 at 02:30
  • Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Dennis Nolte Apr 26 '17 at 11:41

1 Answers1

4

That doesn't by itself indicate that your machine is compromised. It just means that someone is probably trying to exploit a buffer overrun in your webserver.

The fact that your server is returning 200 is interesting, but not conclusive.

John Weldon
  • 413
  • 1
  • 3
  • 13