2

Possible Duplicate:
What are these weird access requests?

I'm getting a lot of requests like these in my access.log:

203.186.107.226 - - [16/Oct/2012:07:07:39 +0000] "\xfc\x8f\xd29g\xc7O\x9bM\vE\x9ek\xb5'\xd2;\xce\xcf\x81\x85\xaf\xc5}y\xb0\xa1A\xf2,\xccj-%s\xc4\xf1\xe2\xb0t\xcfo" 400 303 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:08:11 +0000] "\xfbC\x16\xcc\xbb" 501 293 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:08:43 +0000] "\xf6\xf5n\x7fa" 501 293 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:09:05 +0000] "\xbb\xc7x\xfac\x88\x80" 501 295 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:09:15 +0000] "\x82\x7f\x99\x9atx\xe6\xa8\xf5o3" 501 299 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:11:04 +0000] "\xbf\xa5/:F\x13;\x1f\x95\xd6\"\xf7\xe6W\x14\xf3r\xf9" 501 311 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:12:08 +0000] "\x85\x1bS\xf8\xbd\xf5\xed\xf1`\x1a\xbc\xda\xba\xa5\x9a\xff\xb2uE\tg" 400 303 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:13:02 +0000] "\xdfz\xba\x9cJ\xf3\x04\x18s\xb9>\xa2\x04\xf3\xa8\xad\xd7p\xca.\xb1V\xd1\xfe\xed\x8f\x1e\xab\ru\x9c\xd2[\xdf\xd3\xcf\x7f\xffl" 400 303 "-" "-"
203.186.107.226 - - [16/Oct/2012:07:13:22 +0000] "\xa1\xec\x99\xe3\xf3k\xec?Zm\x8b\xb1\x8eM\x82P" 501 304 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:38:29 +0000] "\x84VeNx/\xca\xa8\xf0\xaeF\x90" 501 300 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:39:24 +0000] "u\x98\xae\xc9'\x0f}V\x89m$\x17q%jj9\xb3[\xf7\xb4\xd6\x8f\xfd\x03k`" 501 315 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:40:19 +0000] "\x82\xd1\xaeo\x17v\xaa-$\x02\xd8b\xd6\xab\xe0!\xc8\xc6\x84\x92VEz\x89\x05dY\xad\x9c\xde d\xcff\xf7\x9e\xe4L\xaa\xa0q\x9b\xf4\xad\xd6\x13" 400 303 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:40:41 +0000] "(\xca\xdcaz\x06\xa3\xdf!\xa9@\xec\xc8\xac\xaa\x1b\x1f\"+\xdb\xc8\xb5~\x8c\x02F\xba5\x18\xd5\xa5\xa4\x06M\x0f" 501 328 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:41:14 +0000] "\xa3{C\xf9\xaa\x85\xa3\xaaZ\x91o\x803\xeb\xc6P\x97\xbf\x18\xdb\xefq]c\xa0\x11\xbc\x10S}B\xca\xecP\xc3(\x0e2*\xbc" 501 328 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:41:25 +0000] "!\xe2\x84\x812\x16\xe9\xbd\xca^\xfa^\xb0\x0e\xe9\xab\xb5\xa0`\xcc\xd2'\xe6N3]\xf0\x88+" 501 317 "-" "-"
221.238.64.139 - - [16/Oct/2012:08:41:35 +0000] "gA\xdf\xf8\xf8" 501 293 "-" "-"

I don't know what these are, it looks like some encoded path, but I am unfamiliar with it. It might be someone trying to exploit something, as I see different response codes.

Can anyone enlighten me?

Community
  • 1
Mark
  • 367
  • 1
  • 4
  • 11
  • seems a good one to me. i was doing a little research and it could be the client is issuing some information that the web server doesn't understand. basically the web server doesn't support the HTTP method it finds in the HTTP data stream sent. that's basically for the 501 you are seeing. are you noticing this signature from the same network or same ip? – au_stan Oct 16 '12 at 13:10
  • @austin It's only one IP it's getting to, although the requests come from different IPs at different intervals. – Mark Oct 16 '12 at 13:37
  • i almost want to say it looks like some hex data stream but not positive on that one. anyway, if the ips come from a specific network, you could possibly figure out who owns that network and contact them. i don't like the idea of blocking them but that's another option. – au_stan Oct 16 '12 at 14:31
  • 1
    Please have a look at this ticket; http://stackoverflow.com/questions/5202901/who-can-decode-this-code – Jeroen Oct 17 '12 at 10:27

1 Answers1

0

These do not look like unknown character encodings. Since the originating IPs are from China, one might think this is due to enconding issues (e.g. like having a chinese character in the URL) however the request seems to be in binary form.

Since it is very difficult to decode the message contained in a binary stream, i would consider this a breach attempt (automatic/scripted or even worse: targeted) and treat the originating network/IPs as hostile.

In this particular case i would drop requests from the originating IPs.

TheWabbet
  • 31
  • 2