What is this in nginx log? "\x01\x01..."

http nginx

There are a lot of requests like this in our logs:

[07/Dec/2015:19:37:03 +0000] "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\!
x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" 400 172 "-" "-" "-"

I guess this a security vulnerability, but I could not find with Google. Has anyone else seen this or know what it is?


Solution 1:

It may be an attempt at exploiting a security vulnerability, but there is nothing in that log entry suggesting your server is vulnerable.

The client isn't speaking HTTP. It's just sending a sequence of bytes which all have value 1. If it was HTTP it would be interpreted as ASCII characters, and the 1 byte in ASCII is a rarely used control character, which has no meaning in HTTP.

It could be an attempt to exploit a buffer overflow, but if that's the case it would appear your server rejected the request as invalid before it even got to the malicious payload. On a vulnerable server it is quite likely nothing would have been logged.

The 400 in the log indicates that your server rejected the request as invalid. That's because a stream of 1 bytes isn't a valid HTTP method, and besides it's way too long.

An answer to a related question on a sister site points out that this kind of request may also be an attempt at fingerprinting your server to find out what software it is running.

Solution 2:

Looks like someone is requesting some shellcode from your webserver.

I'd usually just ignore it, but if it's causing a problem with logging or something, ban them.

Do a quick Whois on their IP address and if it's a university, report it to the abuse@ email with logs ;)

Related

Apache Dynamic Virtual Hosts with multiple domains
How does Cloudflare Firwall rules order work?
Apache HTTPS redirect to Tomcat web folder
SELinux setup for MongoDB
How to install "Minimal Ubuntu" onto virtual machine
Script without put ran as administrator leaves no file [closed]
Need new GLIBC on Centos 6 to use PyTorch on GPUs
Trying to auto-register a Nagios NSCA client
Adjust frequency of Windows Time sync
Private Google Kubernetes cluster can't download images from Google Container Engine
How to configure log rotate to compress and archive logs weekly [closed]
Removing non-present hardware with Devcon?