Apache access log \x80w\x01\x03\x01

apache-2.2 centos

Solution 1:

These byte sequences in your logs look like the beginning of SSL version 2 client hello packets, and result from some HTTPS clients connecting to a port where your web server expects plain HTTP, not HTTPS. Your web server tries to interpret the start of SSL handshake as the HTTP request method.

So you have two problems here:

  1. Someone tries to talk HTTPS to a port on which your web server expects HTTP. This may be a misconfiguration of your server (e.g., you added a Listen 443 directive, but did not enable HTTPS correctly), or just the result of port scans from dumb robots which try HTTPS on nonstandard ports. Or this may be caused by a client misconfiguration (something like https://example.com:80/ could result in such behavior).
  2. Your server for some reason replies with status code 200 to requests with a bogus method. While Apache itself should not handle such unknown methods, PHP by default accepts everything and passes the request to the script. Together with some rewrite rules which cause request for nonexistent files to be passed to index.php (commonly used to get “clean URLs”) and scripts which do not check $_SERVER['REQUEST_METHOD'] this could result in the behavior you see here.

And if the clients sending those requests are controlled by you, then you have a third problem — those clients are using the obsolete and insecure SSL v2 protocol (they advertise support for SSL version 3.1, which is actually TLS 1.0, but would accept SSL v2 responses from the server, so they are vulnerable to a protocol downgrade attack due to missing integrity protection for handshake in SSL v2).

Solution 2:

Yes, the garbage one seems to come from https requests to an http server.

The HNAP1 requests look like an automated attack against a whole slew of routers.

If it's hitting an Apache install you're fine.

If it's hitting any sort of cable/DSL router it's quite possibly hosed. You should reset it and update the firmware to the latest version. The exploit could allow a hacker into your inner network, but I really doubt the automated attack goes that far. Fortunately, it would seem that it can only change the password and settings, so a reset will undo it, though it will just happen again if you don't update to a fixed firmware. More permanent exploits that involve overwriting the firmware would be device-specific.

Related

Enough memory but OOM killer invoked?
Ethernet Loopback plug - running a ping
Any clever way to put a password in an SSH key?
How to permanently redirect port 8080 URL to port 80 using nginx
Linux qos: tc DRR qdisc does not work
It is fair to jail my SFTP users to their home directory?
UPS with a HP Proliant server
Is there any way for me to run my own instance of a Google Wave server?
Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)
Selinux - centos - missing /etc/selinux/config
Dynamically setting a new test interval for Nagios checks
Source based distros vs Prebuilt package based distros