I get lines like these
101.102.2.137 - - [13/Sep/2013:15:20:53 +0300] "\xda\x85^iK\x94bUt\xb2DR\x12l\x19\x11\x06\xd0\x86\x88\xf43\x0c\x14e\x17\xab\xf8SUGF{L\xb0T\x91\x12\xeb\xce\xdc\x1e\x19NS\xc6+\x82;c\r\x96\xd7#\xfb\x01n" 400 226
46.47.127.146 - - [13/Sep/2013:15:23:00 +0300] "-" 408 -
92.163.103.246 - - [13/Sep/2013:15:27:23 +0300] "-" 408 -
124.84.210.50 - - [13/Sep/2013:15:59:56 +0300] "\x9e\x89\xd6" 200 4487
in my apache log and i don't know what do they mean. I use WAMP just to test stuff i don't know how can anyone get my IP to connect.
Can you tell me what the lines mean?
Related
We are currently bringing reverse proxy solution between internet and application server. I have completed the simple reverse proxy setup and I am successfully able to reach application server from reverse proxy. But when I try to perform a health check from F5 to reverse proxy, it fails and there are no errors in the error_log except the following in access_log
XX.XXX.XX.X - - [07/Feb/2020:15:33:27 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:28 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:32 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:33 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:37 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:38 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:42 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:43 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:47 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:48 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:52 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:53 -0700] "\x16\x03\x01" 400 226 "-" "-"
Instead of HTTP methods (which is the first thing a HTTP client will send), you are getting strings starting with \x16, which is the start of a TLS handshake.
This means that your client is trying to use HTTPS to speak to a HTTP server. Just starting a server on port 443 doesn't make it HTTPS. The quick way to confirm this is probably to change a url such as https://foo to http://foo:443
I had the same problem "\ x16 \ x03 \ x01" 400 226 "-" "-".
My mistake was in my DNAT firewall. I caught communication on both 80 and 443 and DNAT only to IP: 80. This rule redirects all traffic from http and https to TCP / 80. That's why the request "\ x16 .." was recorded in the log. Maybe my experience will help someone :-)
I have many GET Request on my server to "nike-air" URLs like this
216.*.*.* - - [13/Dec/2016:20:07:54 +0100] "GET /jd/nike-huarache-2010.php HTTP/1.1" 404
216.*.*.* - - [13/Dec/2016:20:07:57 +0100] "GET /jd/nike-roshe-run-homme-original.php HTTP/1.1" 404
187.*.*.* - - [13/Dec/2016:20:17:26 +0100] "GET /jd/nike-mercurial.php HTTP/1.1" 404
I decide to create a fail2ban filter for stop it:
# apache-nike.conf
[Definition]
failregex = ^<HOST> -.*"GET .*nike-.*".*
ignoreregex =
It works but I think it can be improved? Too bad there is no online tool to create filters :)
Thank you for your suggestions.
I am running a website with siginup/login process. and I like to insert user ids when the user signs up or in to my website.
My apache access.log is as in the following:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/premium/brand HTTP/1.1" 200 721 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/brand/ HTTP/1.1" 200 2510 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:39:00 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
I can clearly see what http request was sent from what ip address.
But if I put the user id (eg. $userid) to this log, it would be wonderful log, and I will be able to get a good statistic information for making decision.
If it is possible, is there any way to do this?
Any advice will be really appreciated.
The log will be like this:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "***[USERID]*** GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
If you are using HTTP Basic or Digest authentication, then the user name is derived from an HTTP header and can be inserted into the log by using %u in a LogFormat directive in your apache config. If you have a login system that does not include the username in a header (likely), then the only other option I know of would be to somehow set an environment variable which Apache could then write out with %{FOOBAR}e. See http://httpd.apache.org/docs/2.2/logs.html
Otherwise, you're probably better off writing out your own log file from your application code (or use an application level logging library - Log4j, or whatever.)
I am currently getting 500 errors from Apache using a alarming probe shell script that has been provided to myself.
Unfortunately I have not been able to get to the bottom of why the script generates a 500 error when attempting to access content locally on the server but using other methods like wget and telnet works fine.
The following are the Apache access log entries for each of the attempts:
Using Wget
127.0.0.1 - "" [19/Mar/2013:14:31:44 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "Wget/1.13.3" "-"
Using Telnet
127.0.0.1 - "" [20/Mar/2013:13:12:11 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "-" "-"
Using the Probe Scripts
127.0.0.1 - - [19/Mar/2013:14:33:56 +1100] "GET /index.html HTTP/1.1" 500 - "-" "" "-"
The only difference I can see is that the probe has a - instead of a "" in the user agent (3rd item) which either way tells me it wasn't passed in any of the instances (as this is expected since there is no authentication).
I've bumped up the logging for everything in Apache and can't figure out what is amiss. There is no processing involved, it's a static file, and I have attempted with other file types too, like images to no avail.
Does anyone have any ideas or has seen something similar?
Thanks,
Tony
In Apache access.log, I am used to this kind of access log line:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
I was checking some apache access logs this morning and found something I'm not used to:
192.168.1.10- - [20/Feb/2013:00:00:45 +0000] "POST /form/... 404 200 252 "-" "-" 435835
There are multiple status code. Does-it mean the request was sended multiple times (something like a failed/retry mechanism?