Weblog entry #296 for simonw
See all weblog entries made by simonw.
#296
Apache host validation and mystery.
Posted by simonw on Fri 9 Jan 2009 at 10:24
Anyone recognize this for what it is? It is straight from the Apache access log.
000000 VIATELIPADDR - - [08/Jan/2009:19:57:23 +0000] "bM\x8b\x84\x99\x04\x17\xe8\xc0\x07&\xa9\x1dt\xe2\x04>amF\x02\x06X\b\x0e\xa6Y\x95\x03u\x
ab0\xd8\xd4\x8b\x98\x16\xc4\xa0^\x8d\xd3\xa3\x1f%\xa7=\xfaa\xce.\xa6\xeb\x94\xfd \x97\x18\xafW\xc62\xe2A\x1d\xd2\xa0'\x0ccx\xcf[\xea\x93\x9fv
D\xdd)\xddA)\x81\x82\xea" 301 250 "-" "-"
Some random spew to port 80.
This HTTP request(?) tripped a really annoying, but minor bug, in the Apache mod_rewrite rewriter program we were using.
I'm guessing from this, and some other issues, that Apache does very little validation of host names it receives from the HTTP client.
So is there a standard way of doing some validation on host names, guess it normally only applies to custom mass virtual hosting configurations so probably my own problem. But I'd like to remove obvious dross from hostnames, is it that HTTP doesn't assume that traditional host and domain names will be used, so Apache can't do better? Sure we fixed the rewriter program, but I've noticed bad domain names can mess up the rash assumptions we make in our log reporting as well, so I'd rather catch them earlier.
000000 VIATELIPADDR - - [08/Jan/2009:19:57:23 +0000] "bM\x8b\x84\x99\x04\x17\xe8\xc0\x07&\xa9\x1dt\xe2\x04>amF\x02\x06X\b\x0e\xa6Y\x95\x03u\x
ab0\xd8\xd4\x8b\x98\x16\xc4\xa0^\x8d\xd3\xa3\x1f%\xa7=\xfaa\xce.\xa6\xeb\x94\xfd \x97\x18\xafW\xc62\xe2A\x1d\xd2\xa0'\x0ccx\xcf[\xea\x93\x9fv
D\xdd)\xddA)\x81\x82\xea" 301 250 "-" "-"
Some random spew to port 80.
This HTTP request(?) tripped a really annoying, but minor bug, in the Apache mod_rewrite rewriter program we were using.
I'm guessing from this, and some other issues, that Apache does very little validation of host names it receives from the HTTP client.
So is there a standard way of doing some validation on host names, guess it normally only applies to custom mass virtual hosting configurations so probably my own problem. But I'd like to remove obvious dross from hostnames, is it that HTTP doesn't assume that traditional host and domain names will be used, so Apache can't do better? Sure we fixed the rewriter program, but I've noticed bad domain names can mess up the rash assumptions we make in our log reporting as well, so I'd rather catch them earlier.
Comments on this Entry
Posted by Anonymous (221.161.xx.xx) on Fri 9 Jan 2009 at 12:43
I haven't run Apache publically for a couple of years, but it looks similar to other log entries I got from scripts targeting ISS6 at that time. I suspect it's an exploit of some kind.
[ Parent | Reply to this comment ]
Posted by sneex (63.139.xx.xx) on Fri 9 Jan 2009 at 19:22
[ Send Message | View sneex's Scratchpad | View Weblogs ]
[ Send Message | View sneex's Scratchpad | View Weblogs ]
Did you try to decode it? Here is a Python example for Strings and such:
http://mail.python.org/pipermail/python-checkins/2007-May/060201. html
HTH/Sx
http://youve-reached-the.endoftheinternet.org/
http://mail.python.org/pipermail/python-checkins/2007-May/060201. html
HTH/Sx
http://youve-reached-the.endoftheinternet.org/
[ Parent | Reply to this comment ]