1

I have an nginx server running an instance of and express/nodejs server.

I was going through the logs to see what was being requested, and I noticed a few normal attempts for common flaws in things like word press, but what has me concerned is: 

66.249.79.129 - - [17/Aug/2018:02:54:32 +0000] "GET / HTTP/1.1" 200 209 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.158 - - [17/Aug/2018:02:54:36 +0000] "GET /stylesheets/style.css HTTP/1.1" 200 111 "https://www.fullstackking.com/" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36"
108.178.16.154 - - [17/Aug/2018:03:17:27 +0000] "\x09\x00\x8B\x00\xFE\x00\xFC\x00\xD9\x00\xD9\x00\xF3\x00z\x00j\x00\x17\x00\xFB\x00\x8B\x00\x8E\x00\xF3\x00\xF3\x00\xFE\x00\xEC\x00j\x00\xA7\x00\x8E\x00\x8B\x00H\x00\xEC\x00\xFB\x00z\x00H\x00\x8E\x00\xEC\x00\x8E\x00\xFB\x00\xF3\x00\xF3\x00\x8B\x00\xF3\x00\x8B\x00\xEC\x00\xC5\x00\xFE\x00\xA7\x00\xA7\x00\x09\x00\x09\x00\x09\x00\xA7\x00\xFE\x00j\x00\xC5\x00\xD9\x00\xFB\x00\xB0\x00\x8B\x00j\x00\xEC\x00\x17\x00\xFC\x00j\x00\x09\x00H\x00\xFC\x00\xB0\x00j\x00\x8E\x00\xF3\x00\x8E\x00\xA7\x00\xEC\x00\xFC\x00z\x00\x09\x00\xD9\x00\xF3\x00\xFB\x00\xB0\x00\x8B\x00\xEC\x00\x8E\x00\x17\x00\xD9\x00\xC5\x00\x8B\x00\x8B\x00\xFB\x00\xB0\x00\xF3\x00\x8B\x00\x8E\x00\xD9\x00z\x00H\x00\xFB\x00\xFE\x00\x17\x00\xC5\x00\x8E\x00z\x00\xB0\x00\xA7\x00\xA7\x00\xFB\x00\xB0\x00\x8E\x00\xC5\x00\xB0\x00H\x00\x17\x00\xC5\x00\x8B\x00j\x00\x8E\x00\xEC\x00\xF3\x00\xFE\x00\xD9\x00\xF3\x00\xA7\x00j\x00\xEC\x00\xA7\x00\xB0\x00\x17\x00\xFC\x00H\x00H\x00\x09\x00\x09\x00\x09\x00H\x00\x8E\x00\xCE\x00" 400 182 "-" "-"

I included the first two to show what normal requests should look like, but the last request is from an IP in the US that has a rating of 100% abuse on this website:

https://www.abuseipdb.com/check/108.178.16.154

What is it trying to do with that series of hex?

David Kamer
  • 456
  • 1
  • 4
  • 13
  • This might help https://serverfault.com/questions/480126/strange-code-in-server-access-log – pm1391 Aug 17 '18 at 04:10
  • Probably someone running a vulnerability scanner. They're not targeting you specifically. You may note that your server returned a 400 error code ("Bad Request") which is exactly what it should do. – user253751 Aug 17 '18 at 06:48

1 Answers1

2

It looks like its someone scanning your server for vulnerabilities. Most likely a bot of some sort. I don't think it's something to worry about, because as @immibis commented, your server is doing exactly what it should do when it receives a request like this.

Public facing IPs are pretty consistently scanned for ways to get in, mostly by bots.

RocketSEA
  • 1,150
  • 1
  • 7
  • 9