Hosting Provided By

Strange Apache logs - maybe DDOS?

From: Christian Schwede <cschwede(at)delphi-gmbh.de>
Date: Fri Nov 15 2002 - 04:31:30 EST

('binary' encoding is not supported, stored as-is)

Hi everybody,
I have a little problem with our apache server. This is what my logs show me:

access_log:

[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:28 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3;" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe37" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:29 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:30 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:31 +0100] "-" 408 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe3I" 501 -
[CLIENT_IP_ADDR] - - [13/Nov/2002:12:39:32 +0100]
"\xe34" 501 -

error_log:
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?I
[Wed Nov 13 12:39:50 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?E
[Wed Nov 13 12:39:51 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?I
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?E
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?J
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?=
[Wed Nov 13 12:39:52 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?7
[Wed Nov 13 12:39:54 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?4
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?I
[Wed Nov 13 12:39:55 2002] [error] [client
[CLIENT_IP_ADDR]] Invalid

method in request ?@

So, what the heck is trying to access my server? I looked around at google for spyware or worm signatures, but none of them fits. Has anybody else seen this? It started on Monday, 21.Oct. 2002. We already had 630.000 (in words: more than sixhundredthousands!) requests of this type. That are more than 200.000 requests a week. I really don't know what this is, but i think it's spyware. Can i prevent apache from responding to this requests? Maybe with the
<FilesMatch> directive?

Please Help me, tia! Christian

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Nov 17 09:11:27 2002

This message: [ Message body ]
Next message: H C: "re: Help - a possible bot"
Previous message: Moshe Aelion: "Help - a possible bot"
Next in thread: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
Reply: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT