Security Operations

568 readers

13 users here now

A place for all things Cyber Security, from questions, rants, and stories, to the latest attacks, vulnerabilities, and zero days.

founded 1 year ago

MODERATORS

L3s

Is this come kind of hack attempt? (self.secops)

submitted 6 months ago* (last edited 6 months ago) by lettruthout to c/secops

4 comments fedilink hide all child comments

The NGINX access.log of my VPS is showing a curiosity.

Instead of a simple request like this...

"GET / HTTP/1.1"

...regular requests are coming in that look like this

"\x03\x00\x00\x13\x0E\xE0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"

Is this some kind of hack attempt?

Here's an example of a full line from the log...

15.204.204.182 - - [24/Apr/2024:15:59:47 +0000] "\x03\x00\x00\x13\x0E\xE0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" 400 166 "-" "-"

EDIT: For what it might be worth, most of these requests come in singularly, from different IP addresses. Once (that I've noticed) repeated attempts came in quickly from one specific IP.

you are viewing a single comment's thread
view the rest of the comments

[–] breadsmasher 3 points 6 months ago* (last edited 6 months ago)

Might be misconfigured SSL? Or a scan?

https://www.joshwieder.net/2015/11/an-explanation-of-webserver-logs-that.html?m=1

The error indicates an attempt to scan OpenSSL for the SSLv3 POODLE vulnerability. No need to panic - getting scanned is an everyday occurrence for web server administrators, and hopefully your server is already long since patched for POODLE and disabled SSLv3 connections entirely. Furthermore, many of the servers scanning the internet making these connections are researchers - the example I provided above referencing the IP address 184.105.139.68 is one such example, and belongs to a group called "The Shadowserver Foundation" that reviews the internet for vulnerabilities and publishes trends in their findings.