Weird Unicode? in web log

Forum Moderators: phranque

Message Too Old, No Replies

Weird Unicode? in web log

PremiumSaltine

7:37 pm on Jul 16, 2012 (gmt 0)

In my Apache logs, I'm getting a bunch of Unicode URL's showing up and I don't know why. I can't find any information on it and I'm wondering if I've been hacked or something.

178.120.48.59 - - [07/13/2012 12:13:53 AM] "!\x91Kw(\x9d\xe0\x05\xf3\x16\xd0s" 200 6517 "-" "-"
112.204.39.45 - - [07/13/2012 01:23:00 AM] "\xb8K/\xbdH\xbc\x18\x9aUo\xbc\x19\x07R" 200 6517 "-" "-"
64.13.161.89 - - [07/13/2012 03:59:21 AM] "\xb4\xb3^\x80I\x8d" 200 6517 "-" "-"
50.76.54.228 - - [07/13/2012 07:00:10 AM] "5\xe8)\x90\xd8\xf1J\xb2\x93\x16o\xd0\xc4e+3\x9d.\xce\xfd\xbc\xb8}\xf0\xc2\xd4\xc7\xe1$8\xde\xe0\xf6+\xc0I\xf6\xa7!\xa9\x91\xca\xc8\xb2" 200 6517 "-" "-"

Can somebody tell me what is happening please? I'm really worried about this.

I setup mod_security, but it doesn't seem to do anything to stop this.

g1smd

7:52 pm on Jul 16, 2012 (gmt 0)

The fact your server returns 200 OK for those requests is a major concern.

One line of mod_rewrite code could block the whole lot in one go.

wilderness

9:17 pm on Jul 16, 2012 (gmt 0)

Allowing the blank UA is even more troubling.

lucy24

12:17 am on Jul 17, 2012 (gmt 0)

Are those the real IPs? Belarus, Philippines, Silicon Valley Colocation-- there's a winner for you-- and-- an even bigger winner-- a "private customer" in the SF Area, courtesy Comcast Business.

The fact your server returns 200 OK for those requests is a major concern.

Notice that the filesize is the same for all. They may be getting rewritten to a "Get lost!" page. (Yes, they'd be getting a 403 from me too.)

Last time I saw requests in this format, they all resolved to zero-width spaces, suggesting that someone was trying to mess with an URL without showing their faces. But I can't make head or tail of this batch, beyond a vague notion that it might be Windows-Latin-1 being reinterpreted as UTF-8.

Can mod_security act on its own? I thought you had to tell it exactly what to look out for.

PremiumSaltine

2:15 am on Jul 17, 2012 (gmt 0)

I set mod_security up with the recommended settings, but i can't figure out how to configure it to block something like this. Can I just block everything without a user agent?

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^ - [F]

Would that work?

g1smd

6:25 am on Jul 17, 2012 (gmt 0)

Add another RewriteCond checking that REQUEST_URI is NOT the 403 ErrorDocument file.

PremiumSaltine

9:32 am on Jul 17, 2012 (gmt 0)

Didn't think of that. It was handing out 500's. Seems to be working now. Thank you!