Security Incidents mailing list archives
Strange Apache logs - maybe DDOS?
From: Christian Schwede <cschwede () delphi-gmbh de>
Date: 15 Nov 2002 09:31:30 -0000
Hi everybody, I have a little problem with our apache server. This is what my logs show me: access_log: [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe3;" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe37" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:30 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100] "\xe3I" 501 - [CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100] "\xe34" 501 - error_log: [Wed Nov 13 12:39:50 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:50 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?E [Wed Nov 13 12:39:51 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?E [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?J [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?= [Wed Nov 13 12:39:52 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?7 [Wed Nov 13 12:39:54 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?4 [Wed Nov 13 12:39:55 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?I [Wed Nov 13 12:39:55 2002] [error] [client [CLIENT_IP_ADDR]] Invalid method in request ?@ So, what the heck is trying to access my server? I looked around at google for spyware or worm signatures, but none of them fits. Has anybody else seen this? It started on Monday, 21.Oct. 2002. We already had 630.000 (in words: more than sixhundredthousands!) requests of this type. That are more than 200.000 requests a week. I really don't know what this is, but i think it's spyware. Can i prevent apache from responding to this requests? Maybe with the <FilesMatch> directive? Please Help me, tia! Christian ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange Apache logs - maybe DDOS? Christian Schwede (Nov 17)