Security Operations

559 readers

1 users here now

A place for all things Cyber Security, from questions, rants, and stories, to the latest attacks, vulnerabilities, and zero days.

founded 1 year ago

MODERATORS

[email protected]

Is this come kind of hack attempt? (lemmy.world)

submitted 4 months ago* (last edited 4 months ago) by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

The NGINX access.log of my VPS is showing a curiosity.

Instead of a simple request like this...

"GET / HTTP/1.1"

...regular requests are coming in that look like this

"\x03\x00\x00\x13\x0E\xE0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"

Is this some kind of hack attempt?

Here's an example of a full line from the log...

15.204.204.182 - - [24/Apr/2024:15:59:47 +0000] "\x03\x00\x00\x13\x0E\xE0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" 400 166 "-" "-"

EDIT: For what it might be worth, most of these requests come in singularly, from different IP addresses. Once (that I've noticed) repeated attempts came in quickly from one specific IP.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 4 months ago

The log translated binary data received to hex escape codes so that your log is not dangerous when you cat it. This could be misconfigured port or some sort of scan (e.g. Someone is trying to https to your http port and it wants to negotiate a SSL/TLS session). The IP listed is a OVH server and appears to be running IIS on http.