Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange Apache logs - maybe DDOS?

From: Christian Schwede <cschwede () delphi-gmbh de>
Date: 15 Nov 2002 09:31:30 -0000


Hi everybody,
I have a little problem with our apache server. This is
what my logs show me:

access_log:


[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3;" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe37" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:30 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe34" 501 -

error_log:
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?E
[Wed Nov 13 12:39:51 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?E
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?J
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?=
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?7
[Wed Nov 13 12:39:54 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?4
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?I
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid
method in request ?@

So, what the heck is trying to access my server? I
looked around at google for spyware or worm signatures,
but none of them fits. Has anybody else seen this? It
started on Monday, 21.Oct. 2002. We already had 630.000
(in words: more than sixhundredthousands!) requests of
this type. That are more than 200.000 requests a week.
I really don't know what this is, but i think it's
spyware. Can i prevent apache from responding to this
requests? Maybe with the
<FilesMatch> directive?

Please Help me, tia! Christian

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: