I like to know what’s going on here in my access log. I see this of the same variety constantly:
74.69.176.32 - - [16/Jan/2011:20:41:08 -0500] "\\xac\\x87%U" 200 24159
74.69.176.32 - - [16/Jan/2011:20:41:08 -0500] "\\xe5\\x898H\\xe1" 200 24159
The server responds with a 200 to this weird header. Does anyone know what these request means?
It’s either a hacking attempt or a very confused user agent.
Have you tried going to those URLs yourself? What did you get?
Those look sort of like HTTPS attempts hitting a HTTP port. Equally they could as has already been said, just be hack attempts, check your server software is up to date and it should be fine.
Looks like hack attempts, it’ll be an automated tool checking through various exploits/buffer overflows etc.
Hacking attempt.
However I wouldn’t take this too seriously every time it occurs.
You should always take hacking attempts seriously - making sure your software is up to date is important… what happens if one of those attempts was actually successful because your software was out of date? 
Alright I made a small python script using sockets and sent those two strings of data with unescaped hexed characters. Returns /, I guess if there’s no recognized HTTP method it just returns the root of the web site. I sent the two lines along with some gibberish “asdfg” and it just responds back with the index.
Maybe this a method of pinging? Sad attempt at ddos I would think.
Chaz,
It’s not DoS nor DDoS at work but an attempt to get your server to respond. I’ve never seen that code before and don’t recognize it but, with the 200 responses, your server has sent its standard headers which is likely what the hacker intended. Unless you’ve instructed your server (server config file) to hide the server type (Apache) and version (2.2.3?), it’s going to be sending a LOT of information in response to ANY request.
Regards,
DK
I’ll google how to hide the server type and version but how would I go about denying spurious requests like that?
Chaz,
Update:[quote=ExamPREP - Certified Ethical Hacker; Fast Facts]Unicode input validation attack. Unicode was developed as a replacement to ASCll. Unlike ASCll, however, Unicode uses a 16-bit dataspace, so it can support a wide variety of alphabets, including Cyrillic, Chinese, Japanese, Arabic, and others. The source of the vulnerability is not the Unicode itself but how it is processed.[/quote]I’m not as well versed in Unicode as I should be but it appears that it’s not just the server info they were after but you were ATTACKED by attempting an exploit which depends upon whether your server is up to date.
As for your question about how to hide:
I believe that there are other directives which could make Apache go incognito but I’ll let you sort that out from the link near the top of the second quote.
Regards,
DK
Thanks DK. I managed to make apache just display the name ‘apache’ in the server header, but to completely remove or modify the server header I have to apparently recompile apache with a patch, but I think what I have is good enough. As for this exploit, how can I know what I’m vulnerable to or not? Could supplying a simple version number be sufficient?
Chaz,
Okay, here’s all I’ve got at the moment:
xac = ¬
x87 = ‡
%U = followed by a Unicode null value which should cause a server error - typical of hacking attempts
xe5 = å
x89 = ‰
98H = 98H
xe1 = á
å‰98Há makes no sense to me
24159 = The last entry for each of your log records indicates the size of the object returned to the client, not including the response headers.
IMHO, what you need to do is lookup these codes using Google (the first set of “\xac\x87%U” took me to a python hacking code) to discover more. Also, there are a lot of “whitehat” (the good guys) who have websites which may have more information.
Regards,
DK
Thanks DK. I think that’ll be all for now
For those who want to know more about the Unicode Vulnerability (on IIS), I’ve found an article on this which does a good job explaining it at http://www.hackingspirits.com/eth-hac/papers/iis_uni.html
Since most Apache hosts are on 'nix OSes, we won’t normally worry about this in this Apache forum.
Regards,
DK
Wow how did you manage to get a really good article on this?!?
Chaz,
Simple: I Googled “Unicode Vulnerability” and this one was one of the ones at the top of the list. Unfortunately, hackers are busy little buggars and have more tricks up their sleeves than you can believe. Go look at http://ec-council.org and look at the CEH (Certified Ethical Hacker) information there. If you’re REALLY interested, the ExamPREP book for CEH has a wealth of information (no how-tos) and there is a plethora of hacking books out there … enough to scare the pants off you!
Regards,
DK