SitePoint Sponsor

User Tag List

Results 1 to 1 of 1
  1. #1
    SitePoint Enthusiast kneekoo's Avatar
    Join Date
    Dec 2010
    Location
    Bucharest, Romania
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Strange entries in Apache access log

    The last few days I noticed strange stuff in my access log:

    Code:
    188.107.245.66 - - [18/Oct/2011:19:12:19 +0300] "S\xe5\v\xa1\xdcJ3\b\x86V\x06\xdf\xfc\xe12\x17\xcf5\xcc\xe4\xceF" 400 226
    188.87.22.67 - - [18/Oct/2011:19:45:57 +0300] "\x86E\x80\x1aAv_t\xef\xc1\x15\xe6\xf6G\x136\xf6\xb2\x10d\xd0\xd4\x8d\xb8\xbe!\xd0\xe1f" 302 -
    81.157.125.118 - - [18/Oct/2011:20:22:03 +0300] "\xd9V\xdd\xfa[l_\"l\x8b=\xa9\x02\x87\x81\xccV\x843\x0e\x18\xbb\xd9X\xb7\xcf\xc5\xaf\xf6P\xff\x81\x92\x0e\x9bld\x7f\x83<YA\xd2\x0c\x8e\xfd\xcb\xab\x85\xc6" 400 226
    82.113.121.32 - - [19/Oct/2011:19:56:34 +0300] "\xfd\xe8\x1clL\x04\x12\xeau\xf6v>\xc4\xd8\x8b\xea\xf1\xd2<\x11\xe9\xfa\xa1\x89\xd7\xc3`\xb0\xc5(\x07\xde\x12\x88\xb8\x9b\xfc\xf7kq," 302 -
    77.181.227.10 - - [20/Oct/2011:19:01:44 +0300] "\x9a\xaf\x1b" 302 - "-" "-"
    194.228.94.242 - - [21/Oct/2011:12:31:49 +0300] "$\xfe\x87O\xa7\xb6\x0e\x17[}" 302 - "-" "-"
    188.187.133.114 - - [21/Oct/2011:20:19:35 +0300] "M\x85r?\xf3\x81\x13\x0e\xc8\xab" 302 - "-" "-"
    95.103.75.20 - - [22/Oct/2011:16:41:58 +0300] "\xc0\xfd\xbf\xcf" 200 194 "-" "-"
    46.135.104.255 - - [22/Oct/2011:16:58:52 +0300] "w\xc1\x15\xadqk\x85\xa18\x83\xf0\xe8{\x95\x10\x92}\xa8\x9e\xddt\xcdiA\x02\x17G\xf1R\x96p" 200 194 "-" "-"
    93.96.74.252 - - [22/Oct/2011:23:25:37 +0300] "\xfbO\xed\xda\x85$\xa8\xa6\x8e\xcdi\xc6\x13't$\xc1 1\xa8\xec4(\x98\xc3\xda\xbc\x8b," 400 226 "-" "-"
    Normally I see this:
    Code:
    174.129.228.67 - - [23/Oct/2011:06:56:53 +0300] "GET /robots.txt HTTP/1.0" 200 26 "-" "ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)"
    The first thing I don't understand is why the strange requests don't include a method (get/post/head/etc). The second thing is obvious: what does it mean? And the third thing: why do I have different response codes for those requests? Sure, depending on what they do Apache replies differently, but I don't know what's behind the encoded requests.

  2. #2
    SitePoint Enthusiast kneekoo's Avatar
    Join Date
    Dec 2010
    Location
    Bucharest, Romania
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Two more entries:
    Code:
    88.75.80.97 - - [23/Oct/2011:17:50:38 +0300] "\xe5\xda\x1fz\xd9\xec\xe0\x05\xb2%\x837\x16\xda=\xcci#m &\xa5M\x85\xc7\x7f\x1a\xc8\xcb\x98\x15\x99Z" 400 226 "-" "-"
    60.53.86.243 - - [24/Oct/2011:07:54:35 +0300] "\xd8\xc5\xfa\x0f\xc3dywH\xc5\x8f\xcbc\xd6\xa1\x13\xfb\xfc\x88\xf5!\x0c\xaf\x18\xdcpr\b?\x83\xe3\x9bV\xafN:\xea\b\x14VpdY\x9e\xfb 79q-p\x89t\xbe\xfey" 400 226 "-" "-"
    So far my server replied like this:
    200 - OK
    302 - Moved Temporarily
    400 - Bad Request

    I'm not worried about 302 and 400 but I have concerns about what's behind the two actions that made my web server accept the requests. The missing method (get/post/head/etc) in the access log makes me believe the requests were not made by a regular HTTP client.

    Does anyone know how to handle this situation?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •