3

I got these requests on my webserver (all IP addresses redacted, they don't come from the same subnet, "x" is just a placeholder):

x.x.x.50 - - [03/Sep/2022 12:42:38] code 400, message Bad HTTP/0.9 request type ("\x16\x03\x01\x00Ê\x01\x00\x00Æ\x03\x03W\x87û-רUÌÎE\x87\x93Å¡\x15\x87xö\x83òEÖD¿\x0få±\x83%vQu\x00\x00hÌ\x14Ì\x13À/À+À0À,À\x11À\x07À'À#À\x13À")
x.x.x.50 - - [03/Sep/2022 12:42:38] "ÊÆWû-רUÌÎEÅ¡xöòEÖD¿å±%vQuhÌÌÀ/À+À0À,ÀÀÀ'À#ÀÀ      À(À$ÀÀ" 400 -
x.x.x.88 - - [03/Sep/2022 14:18:43] "GET / HTTP/1.1" 200 -
x.x.x.10 - - [03/Sep/2022 14:36:30] "GET / HTTP/1.1" 200 -
x.x.x.197 - - [03/Sep/2022 14:46:30] "GET / HTTP/1.1" 200 -
x.x.x.37 - - [03/Sep/2022 15:46:15] "GET / HTTP/1.1" 200 -
x.x.x.88 - - [03/Sep/2022 16:03:30] "GET / HTTP/1.1" 200 -
x.x.x.209 - - [03/Sep/2022 16:24:58] code 404, message File not found
x.x.x.209 - - [03/Sep/2022 16:24:58] "GET http://example.com/ HTTP/1.1" 404 -
x.x.x.20 - - [03/Sep/2022 17:38:57] "GET / HTTP/1.1" 200 -
x.x.x.44 - - [03/Sep/2022 17:42:41] code 501, message Unsupported method ('POST')
x.x.x.44 - - [03/Sep/2022 17:42:41] "POST /GponForm/diag_Form?images/ HTTP/1.1" 501 -

What worries me is that I shared the link to my webserver only to CheapSSLSecurity, to prove domain ownership. And I was expecting only a GET request to a specific file they want me to put. For starters, my webserver is empty now, only serving that file for domain ownership proof, so the last request to GponForm/diag_Form is unexpected, as well as request to http://example.com, as clearly it's not my domain. Also the first bad request seems weird as well.

So my question is: is there any precedent of a malicious actor using the requests seen here as part of an attack?

Update: I found that the GponForm/diag_Form?images request is part of this CVE, for example.

Improve this question
3
  • Some of those log entries look just fine: requests for your home page from various IP addresses. Which of the others worry you? Commented Sep 3, 2022 at 10:17
  • Ah, right, I haven't specified. The first one, specifically. From x.x.x.50. Also I only share this link to CheapSSL, which by right should only try to GET specific file (to prove ownership). I'll include this in the question. Commented Sep 3, 2022 at 10:48
  • Its possible that the previous owner of the IP of your website was doing other things and that these requests are a holdover from that maybe? Commented Sep 4, 2022 at 1:58

1 Answer 1

Reset to default
1

Welcome to the Wonderful World of Server Logs!

Just because you're not hosting specific pages or services on your website doesn't mean that things aren't going to request them. This could be browsers looking for things in "known locations", such as favicons, manifests, etc., or it could be either poorly coded or malicious crawlers looking to see what you have there.

As soon as you register a domain it's often available in various registries for services to ping and crawl, as well as marketeers to start hounding you about various listing services (depending on where you live and what details they can find).

Those top two requests and the last ones look like malicious attempts to see if they can break your site and gain some level of control over it

For the first requests at present your server is doing the right thing and returning a 400 Bad Request.

The last ones are indeed attempts to see if you're running software with known vulnerabilities, a salient reminder to always patch your servers when possible.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.