[RndTbl] weird apache hit

Trevor Cordes trevor at tecnopolis.ca
Mon Feb 17 21:02:19 CST 2020

On 2020-02-17 athompso at athompso.net wrote:
> First thought: what other hits come from that IP address previously?
> Could it be Redirect or rewrite? -Adam

The pattern is 2-3 fuzz hits that get 4xx codes like: - - [17/Feb/2020:14:59:28 -0600] "\x16\x03\x01" 400 226 "-" "-"
80 9-w1.foo.com -

Then the hit that breaks into /var/www/html

On 2020-02-17 Theodore Baschak wrote:
> Also, you've got the IP and you say they're persistent,
> tcpdump/tshark some packets to a file and see the contents of the
> request in more detail?

I get 4-5 hits total from a single IP, then no more from that IP.  Then
a while later it'll be the same pattern from another IP.  I have dozens
of these groups of hits logged, always the similar sequence.  Sometimes
they just do the \x code hits and not the breakout hit.

Probably a bot net causing this.

So I can't easily dump these packets, at least not based on IP.  This is
a very busy production server so I'm not sure I want to turn on global
port 80 packet capture... although, most traffic is port 443, so maybe
it is an option.

I'm also looking into logging more of the request.  There doesn't seem
a way to log all headers, but I can log specific ones.

More information about the Roundtable mailing list