Strange characters in nginx log starting with \x

Question

I was hacked and checking nginx logs I found several requests like this one:

169.229.3.91 - - [18/Jun/2016:09:42:19 +0000] ")\xE7\xD1?\xD6\x18.\xC0\xCE\xA3\x7FR\xEA~O$\x0BLi\x13\xA0m\xE7\xF0H4\x92\xD6\xBFv\xD2\xDF3\xFCX#T\x0B\xB6\xE4XmU\xEF$\x03\xC9/\xFD\xDEf\x00\x89Prq\x1A\xB5\x13\x0CoGOn" 400 173 "-" "-" `

I suspect of XML-RPC attack generating from my server but I can't confirm it, is there any way to convert that code to human readable text?

Possible duplicate of [Strange code in server access log](https://serverfault.com/questions/480126/strange-code-in-server-access-log) — Flux, Nov 01 '18 at 12:12
Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) — kasperd, Nov 01 '18 at 18:00

score 1 · Accepted Answer · answered Jul 02 '16 at 03:28

No idea about the hack, but to convert the binary you can use printf on the command line, like this:

printf %b ")\xE7\xD1?\xD6\x18.\xC0\xCE\xA3\x7FR\xEA~O$\x0BLi\x13\xA0m\xE7\xF0H4\x92\xD6\xBFv\xD2\xDF3\xFCX#T\x0B\xB6\xE4XmU\xEF$\x03\xC9/\xFD\xDEf\x00\x89Prq\x1A\xB5\x13\x0CoGOn"

It is still unreadable, though.

score 0 · Answer 2 · answered Jul 02 '16 at 03:23

0

Here's a nifty decoder: http://ddecode.com/hexdecoder/

Not an answer... but, are you using a supported OS and is it fully patched?

What are the various addon components, like Java, Nginx, database, etc, and are they fully patched?

What about any other servers you have in the same domain?

answered Jul 02 '16 at 03:23

MikeP

162
7

Is a webapp using nginx as proxy. Every container is isolated, and only exposed port is 80 – IAmJulianAcosta Jul 02 '16 at 03:30

Strange characters in nginx log starting with \x

2 Answers2