Announcement

Collapse
No announcement yet.

Need help decoding hex string in Apache log.

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Need help decoding hex string in Apache log.

    Hello,

    I'm trying to figure out what's going on here. I noticed this in my Apache access_log:
    Code:
    access_log:164.52.7.132 - - [28/May/2017:20:03:00 +0000] "\x16\x03\x01\x01\"\x01" 400 10063 "-" "-"
access_log:164.52.7.132 - - [05/Jun/2017:06:05:47 +0000] "\x16\x03\x01\x01\"\x01" 400 10063 "-" "-"
access_log:164.52.7.132 - - [10/Jun/2017:19:52:17 -0400] "\x16\x03\x01\x01\"\x01" 400 10065 "-" "-"
access_log:164.52.7.132 - - [15/Jun/2017:19:57:59 -0400] "\x16\x03\x01\x01\"\x01" 400 10065 "-" "-"
access_log:164.52.7.132 - - [15/Jun/2017:19:58:05 -0400] "USER test +iw test :Test Wuz Here" 400 10073 "-" "-"
access_log:164.52.7.132 - - [15/Jun/2017:19:58:05 -0400] "GET / HTTP/1.1" 200 111 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
access_log:164.52.7.132 - - [21/Jun/2017:15:27:41 -0400] "\x16\x03\x01\x01\"\x01" 400 10066 "-" "-"
access_log:164.52.7.132 - - [21/Jun/2017:15:27:48 -0400] "USER test +iw test :Test Wuz Here" 400 10074 "-" "-"
access_log:164.52.7.132 - - [21/Jun/2017:15:27:48 -0400] "GET / HTTP/1.1" 200 111 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
    Any ideas what that hex string is? The x16 x03 x01 x01" x01? My server returned a 400, which I think is good, but it also seems to have returned 10,073 bytes. I wonder if that's the size of the 400 page? Any ideas waht the person was attempting to do? Thanks!

    I thought Apache servers would send an \x16\x03\x01 if they were trying to send unencrypted text over a secure port (ie, a misconfigured server sending plain text over port 443). But this seems to be something the user was attempting to send to my server.

    Thanks!
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
    Tags: None
    #2
    Re: Need help decoding hex string in Apache log.

    The USER test +iw test :Test Wuz Here looks like a hacked up version of nmap's ircServerInfo.nse script. Pretty much the same string for the IRC command, but in nmap's script, the user test is replaced with nmap. Not hard for someone to modify the script and change the user, but the \x16\x03\x01\x01"\x01 is what I'm more interested in understanding.
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    Comment

      #3
      Re: Need help decoding hex string in Apache log.

      could be an activation code or key to a backdoor in something.

      Comment

        #4
        Re: Need help decoding hex string in Apache log.

        Originally posted by stj View Post
        could be an activation code or key to a backdoor in something.
        I was thinking some sort of exploit. Maybe a bug in a certain software (ie, Apache) and with a carefully crafted code, it could do things it wasn't meant to do. It seems the first three bytes have something to do with Apache. If Apache is misconfigured, it can send plain text over port 443. I remember there being some sort of exploit that involved something like that to gain remote access. My version of Apache is patched against this. I'd like to understand it a bit more though.

        Is it assembly instructions or something? I dunno. I'd love to learn what it's supposed to do.

        The Test was here just seems to be some IRC commands. I saw some really weird stuff in the error_logs that don't make sense to me. I see the remote IP address of an attacker, who's attempting to do a remote scan of my server. After 5 failed attempts, LFD is supposed to block the IP, but he was able to get 20 attempts in before LFD blocked the offending IP. He changed IP addresses by a few numbers and did it all over again.

        The hostname in the ModSec log first shows my IPv4 address, but then, in the end there, it shows the hostname he was connecting to was 127.0.0.1. This really worries me.
        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

        Comment

          #5
          Re: Need help decoding hex string in Apache log.

          Doubt it, it probably is some magic number for possibly an irc bouncer or perhaps was trying to initialize ssl and failed.

          Comment

            #6
            Re: Need help decoding hex string in Apache log.

            Originally posted by eccerr0r View Post
            Doubt it, it probably is some magic number for possibly an irc bouncer or perhaps was trying to initialize ssl and failed.
            Okay. I've seen the first 3 bytes having something to do with SSL (Apache will show those three bytes in the error_log file if the server is incorrectly configured and it's sending unencrypted data over an encrypted channel).

            I don't think I have much to worry about there. I do worry though with another address from Brazil. They were connecting to my hostname (we'll say example.com). I saw them using Masscan to try and connect to my cPanel / WHM subdomains, cpanel.example.com, webdisk.example.com, webmail.example.com, etc. Then, all of a sudden, they're connecting to hostname 127.0.0.1. That really worries me. It still shows their remote address though, and doesn't show the remote address as 127.0.0.1 or the IP address of my server....
            -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

            Comment

              #7
              Re: Need help decoding hex string in Apache log.

              The 127.0.0.1 I think is a bug. The ModSec logs show the proper hostname, it's just the Apache error_log that mistakenly lists it as 127.0.0.1. So either ModSec reports it incorrectly to Apache or for some reason, Apache is messing up and recording the remote host as 127.0.0.1. The important part is ModSec shows it properly.
              -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

              Comment

              Previous template Next
              Working...
              X