I'm getting below error requests with status code 200 (OK) to below paths:
[06/Feb/2013:07:41:38 +1100] "\x80w\x01\x03\x01" 200 550 "-" "-"
[05/Feb/2013:10:52:22 +1100] "\x80g\x01\x03\x01" 200 550 "-" "-"
I'm getting spam abuse now. Is my server compromised?
Best Answer
These byte sequences in your logs look like the beginning of SSL version 2 client hello packets, and result from some HTTPS clients connecting to a port where your web server expects plain HTTP, not HTTPS. Your web server tries to interpret the start of SSL handshake as the HTTP request method.
So you have two problems here:
Listen 443
directive, but did not enable HTTPS correctly), or just the result of port scans from dumb robots which try HTTPS on nonstandard ports. Or this may be caused by a client misconfiguration (something like https://example.com:80/ could result in such behavior).index.php
(commonly used to get “clean URLs”) and scripts which do not check$_SERVER['REQUEST_METHOD']
this could result in the behavior you see here.And if the clients sending those requests are controlled by you, then you have a third problem — those clients are using the obsolete and insecure SSL v2 protocol (they advertise support for SSL version 3.1, which is actually TLS 1.0, but would accept SSL v2 responses from the server, so they are vulnerable to a protocol downgrade attack due to missing integrity protection for handshake in SSL v2).