This sort of thing is constant background noise. When it gets bad I write a
script to add offenders to a block table, but generally I ignore it. They are
generally targeted against weaknesses in other systems.
Devin Ceartas
Owner, NacreData L.L.C.
PO Box 646
Chapel Hill, NC 27514
(919) 442-8899
de...@nacredata.com
AIM or Skype IM: nacredata
Facebook, Twitter: nacredata
On Aug 4, 2010, at 1:35 AM, Siju George <sgeorge...@gmail.com> wrote:
> Hi,
>
> I exposed the base apache chrooted on one of my 4.7 systems to the
> internet yesterday.
> I found these strange line in /var/www/logs/access_log
>
>
=============================================================================
===============
>
> 122.169.7.58 - - [04/Aug/2010:09:41:18 +0530]
>
"\x8e<o?=M6o?=o?=$D[o?=Do?=o?=x89b:\x7f\x8efo?=\x93.\x80\x1d\x1c\vo?=-Xo?=\x9
9\b(6rko?=No?=\x16&o?=o?=[e:F\x0f\x0ca'ho?=\x82\x82vo?=Ro?=
> 400 299
> 122.175.77.144 - - [04/Aug/2010:09:41:27 +0530]
> "yo?=o?={6K\x1co?=P3o?=[K/=o?=eo?=x83o?=o?=o?=S\x06o?=" 501 -
> 122.173.243.140 - - [04/Aug/2010:09:44:44 +0530]
>
"\x9dU*\x81o?=\x134\x98o?=Io?=o?=\ro?=h\x85~jao?=x8f\x8b\x8e\x89o?=\x8eo?=o?=
u\vo?=o?=3YSr%\x85(o?=yjo?=x8b"
> 400 299
> 59.145.141.102 - - [04/Aug/2010:09:54:27 +0530]
> "\x83\x98o?=\x0fo?=o?=\x06o?=\x14\x91i,co?=Qo?=\x85o?=Vo?=o?=" 501 -
>
>
=============================================================================
================
>
> What are they trying to access?
>
> in PF only 80 ( and not 443 ) port is exposed to the internet with the
rule.
>
> pass in log (all, to pflog5) quick on sk0 inet proto tcp from any to
> (sk0) port = www flags S/SA keep state label " # Restricted WWW access
> from outside"
>
> thanks :-)
>
> --Siju
