This isn't really new. But two readers submitted logs like this today. So I figured it is time for a reminder. If you see requests like this in your weblogs: a.b.c.d - - [04/Oct/2016:14:57:34 +0000] "\x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16" 400 166 "-" "-" The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL. To decode the byte sequence above: \x16 - This indicates a "handshake". Typically, connections start with a client hello. You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.
--- |
Johannes 4102 Posts ISC Handler Oct 5th 2016 |
Thread locked Subscribe |
Oct 5th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!