Exploit attempt!!! [Thu Feb 04 08:29:16.888853 2016] [core:error] [pid 14051] [client 169.229.3.91:52806] AH00135: Invalid method in request n\x9fB\xb5\x91`\xbdJ>\x85j\xdd\xbf\xf5\xa7w\x15h\xef\xa6\xe0\xaf*\xa65f\xa9\x15\xcd|O\xa1\xf4,D@\xb2D1\xd4\x1c#
This IP tried the following hack attempt at my server: 169.229.3.91 - - [18/Feb/2016:14:03:27 +0200] "\xD1p\xB9\x8D.\x8FFr\xE1r\x1B\xA32\xDDf\xAF\x85\xA6'Dld\xD1\xEDi(\x93\xDE\x9FDeZ\xECryO>3AS\xBB\x19\xD7;\xB9k\x0C\xA0D\xBEN\xCB\x87+\xDC\x95(\xA6\xA7 \x8EEg&\xC2" 400 172 "-" "-"
I have blocked this ip, get lost. [Fri Mar 04 11:53:12.205409 2016] [core:error] [pid 1263] [client 169.229.3.91:37088] AH00135: Invalid method in request \xc6^
snort detects a "http_inspect: UNESCAPED SPACE IN HTTP URI" coming from this IP address
Strange request from [core:error] [pid 1485] [client 169.229.3.91:58357] AH00126: Invalid URI in request \xc1\xddd\xf3\x86e\xa3\xc5\xe1.\xde\xf2>"\x9b\x0c\x8e|O\x9c\x01wYg\xc0)\xe8\x9c\x8dA\xa7M\xbb\xc9\xe6\x83\x82F\xdf'M=8\xae\xbaP\xb1\xff\xcfB\x12\xb5\xd6\xea\x11\x9afM\x14&
This showed up in my Apache error log... [Mon Mar 21 06:33:57 2016] [error] [client 169.229.3.91] Invalid URI in request P\x89*\x1d]\xfe\x9e\xe0"\x1f\xc4\xec\xafv\xd5\xe211\xa9\xa7\xcc\xb9?\xd7\xddI\xe9~w\xd2m-\x12U:\xa0_j&\t\xf1\xf2@\xd4"\xbb\xbcS\xdf\x9cp\xd8,<:M\x8d\bCI\x01
169.229.3.91 05 May 2016 Q\x12,\xa4\xfe\x0c\xa3\x11\xd6T*\xe3\xae\xed\xd3 169.229.3.91 06 May 2016 \x85~=\x0cz\x81\xc2\xf3\xfdz\x18 169.229.3.91 10 May 2016 v\xee\xc7\xee\x89\x118\x11\xdc\x8f\xdd\xedXR"\xa7\x7f\xf9I\x1a/\x9a\x12\x9bC\xe8\xca\xf1X\x83\x9f\xcc\xed5i6n\xbb\xac\x12\x85U4q\x91\x80\xa0qR\x1f?kmQ\xbeL\x88(\x14c\xa4 169.229.3.91 24 May 2016 \x8es\x12\xafq\x8c\xedP\xe7$^\x1d?,\x1b\xe1\xd8\x92\x98\x93\x05\x1e~\x0c\xa9K\xdf\xf7^\xc0 169.229.3.91 25 Apr 2016 H\xa1; 169.229.3.91 25 May 2016 \x02\x05H6\x8d\xce6f\xc9\x16\xefu\xfd\xfa\xb7\xc9c\xac\xb8V\xc4\xb9 169.229.3.91 30 Apr 2016 \x99s\xb1\xb6f\x8cNI\xe7bm3\x92\x87\xee%wa\xfa
access log: 169.229.3.91 - - [10/Jul/2016:07:04:47 -0500] "'\xf6\xd7\xcf\xd8\t(0\xec\xaf\x9fO\xdf@\xabV\xe6\xacp$J\xaa\xf8\\\x867\xf1\x1eOyd\xf7/\x16\x86\xd6\xf0\xb0\x8f\x06j\x88\xccuT\\\xdeN" 400 314 "-" "-" error log: [Sun Jul 10 07:04:47 2016] [error] [client 169.229.3.91] Invalid URI in request '\xf6\xd7\xcf\xd8\t(0\xec\xaf\x9fO\xdf@\xabV\xe6\xacp$J\xaa\xf8\\\x867\xf1\x1eOyd\xf7/\x16\x86\xd6\xf0\xb0\x8f\x06j\x88\xccuT\\\xdeN
this ip 169.229.3.91 was hitting my system's all open ports. It was a hacking attempt..
Found this in my Nginx access.log few hours after creating a DynDNS hostname : 169.229.3.91 - - [10/Nov/2016:11:25:52 +0000] "\xDD\xB63t\x22I\xCC\x8Bmg\xE8\xBA+\xBD\xAF\x9D\x93\x0F%\xF8{\x8D\xD5P\xC0\xE7KYSR\xE8/o\xFB\x07\xD1\xEB\x83\xEF\xDF]\xA4J\xBE\xCC\x1F9c\x1E\x93B\x5C1\xA5\xDAl4\xB5\x8D\xD4\xA4\xF0\xEC\xAE" 400 166 "-" "-"
Please help us keep Internet safer and cleaner by leaving a descriptive comment about 169.229.3.91 IP address
- Hacked Gmail accounts
- WordPress Hacking Attempts
- SSH Hacking Attempts
- Why Can't I See The Exact Address?
DNSBL* - is a list of IP addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.
WHOIS** - is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name, an IP address block, or an autonomous system number. WHOIS lookups were traditionally performed with a command line interface application, and network administrators predominantly still use this method, but many simplified web-based tools exist. WHOIS services are typically communicated using the Transmission Control Protocol (TCP). Servers listen to requests on the well-known port number 43.
** Approximate Geographic Location - This is NOT the exact geographical location of the person/organization with the given IP address. However, this should still give you a good idea about the area/region where this person/orgranization is located.