Apache Logs – Understanding HTTP Requests “\x80z\x01\x03\x01”

apache-2.2

I'm having lots of the following HTTP requests in my Apache access log:

178.91.64.43 - - [17/May/2012:16:33:22 +0400] "\x80z\x01\x03\x01" 200 65900 "-" "-"

My site stops working because of them. So, I just block all such IPs with my csf firewall. I am on CentOS 5.8 with Apache 2.2.4.

Can you help me understand what these requests are? I am not able to google anything and just need a point from which to start in order to resolve this issue.

Thank you.

Update.

Web server is listening to the port 443.

   tcp  0    0 :::443    :::*    LISTEN      0   2686146530 19775/httpd

Best Answer

That looks like someone trying to connect using SSL to a non-SSL port (i.e. https://).

Either the connecting clients are getting something wrong, or perhaps your web server is listening on port 443, but not for SSL connections?

You could create an Apache customlog using %p somewhere in the output, and track which port those connections are actually turning up on. If they're on port 443 then your config is potentially the issue, if they're on port 80, I'm not sure what to suggest.

Related Solutions

Apache Error Log – Invalid Method in Request \x16\x03\x01

Wrt the first error, it's possible that your webserver is mistakenly trying to speak unencrypted HTTP to a request that came in on port 443 (HTTPS).

To test this, telnet to port 443 on your webserver's hostname or IP address and issue: GET / HTTP/1.0. Assuming the IP address is 10.0.0.1, that you're using Windows, and that you have the Windows telnet client installed (which sucks, btw - I prefer SecureCRT or PuTTY, which is free), type the following in a command prompt window and press Enter:

telnet 10.0.0.1 443

When the connection is established (you should see a blank screen with a blinking cursor), type:

GET / HTTP/1.0

...and press Enter twice.

Quick note: You won't be able to see the stuff that you type after the telnet session has been established, even though your keystrokes will still be sent to server. In the Windows telnet client, a setting called "localecho" controls this behaviour, but it's turned off by default.

Quick note #2: Backspace "won't work", so be careful not to make a typo or you'll need to start from scratch.

If you get back plaintext, readable HTML, you probably have some problem with your virtual hosts configuration.

I'm not sure about the second error, though, and even if the above is the case, it shouldn't cause Apache to gracefully restart...

How are these ‘bad bots’ finding the closed webserver

Welcome to the internet :)

How they found you: Chances are, brute force IP scanning. Just like their constant stream of vulnerability scanning on your host once they found it.
To prevent in the future: While not totally avoidable, you can inhibit security tools like Fail2Ban on Apache or rate limits - or manually banning - or setting up ACL's
It's very common to see this on any outside accessible hardware that responds on common ports
It's only dangerous if you have unpatched versions of software on the host that may be vulnerable. These are merely blind attempts to see if you've got anything 'cool' for these script kiddies to tinker with. Think of it as someone walking around the parking lot trying car doors to see if they're unlocked, make sure yours is and chances are he'll leave yours alone.

Best Answer

Related Solutions

Apache Error Log – Invalid Method in Request \x16\x03\x01

How are these ‘bad bots’ finding the closed webserver

Related Topic