0

I use nginx configured with HTTPS and an unsigned cert to send files to people sometimes. Despite being just an IP address listed no where, I get traffic from various crawlers and other bots. The other day I saw the following in the access logs:

<ip address> - - [20/Jun/2021:10:42:19 -0400] "Gh0st\xAD\x00\x00\x00\xE0\x00\x00
\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16
\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&
\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9
\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F
\xAE\xAF]" 400 173 "-" "-"

I can't seem to make sense of the data, but it seems to be some sort of attempt at an injection. Has anyone seen anything like this before?

Yserbius
  • 101
  • These are not *"backslash encoded data"* but this kind of encoding is simply used to log binary data. The original data don't contain a `\x00`, they contain a binary byte with all bits 0 instead etc. Apart from that this is common internet noise. And just search for the string and you'll find [many others occurences](https://www.google.com/search?q=%22Gh0st%5CxAD%22+http+log). – Steffen Ullrich Jun 21 '21 at 04:24
  • @SteffenUllrich Thank you for your response but it doesn't answer the question. I'm not planning on reporting the site, nor do I care (that much) about the origins. I was simply asking what the attack is trying to accomplish. All I see is binary data in `\x` hex format (whatever that's officially called). What exactly is that data? – Yserbius Jun 21 '21 at 04:43
  • 1
    Based on [this](https://0x00sec.org/t/tyrannosaurus-reproduced-fast-and-died-young-a-malicious-host-ip-c-c-from-china-2016-to-present/6691) this might be Gh0st-RAT command and control traffic. But this is not a malware analysis site, i.e. I don't see analyzing every log message and code here as on-topic. – Steffen Ullrich Jun 21 '21 at 04:51

0 Answers0