Since yesterday, my Apache/PHP server started to log weird messages: Here are excerpts from the logs. error.log:
[Mon Sep 05 12:37:25 2011] [warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.
[Mon Sep 05 12:37:25 2011] [error] [client 77.85.194.198] Invalid URI in request \xec\x18\rN\x03.\xe7\x8c\xe46Cg\x85\x1a\xab\xca
[Mon Sep 05 12:43:37 2011] [warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.
access.log:
178.37.24.223 - - [05/Sep/2011:12:36:41 +0200] "\xe80'y\xecT\xe5\xb7+\xba\x94\x92\xe4\xe4\xd6\x01Q\"\xe9p\x94\xe3" 200 2977 "-" "-"
77.85.194.198 - - [05/Sep/2011:12:37:25 +0200] "\xec\x18\rN\x03.\xe7\x8c\xe46Cg\x85\x1a\xab\xca" 400 226 "-" "-"
213.87.136.107 - - [05/Sep/2011:12:38:09 +0200] ">R1\x83\xa6\xf5\"\xd3\xe6\x85" 200 2977 "-" "-"
68.10.170.135 - - [05/Sep/2011:12:39:23 +0200] "-" 408 - "-" "-"
89.137.238.149 - - [05/Sep/2011:12:39:46 +0200] "-" 408 - "-" "-"
81.85.202.246 - - [05/Sep/2011:12:41:06 +0200] "-" 408 - "-" "-"
184.164.16.92 - - [05/Sep/2011:12:43:10 +0200] "\x02\xe0\x9fQ\xa1\x89s\x8d\x04\x1f\xb3o\xbc2I\xc4\x1f`>\xfd\x8b&Z\xae\xc0>" 200 2977 "-" "-"
208.54.44.237 - - [05/Sep/2011:12:44:39 +0200] "Zv\xa2\x05\xda\xc9\xe3\x17\xff\x18\xea\xd0}s\x88\xb8\xd3\xf6a\xee\xd6\xad\xf7\x8f|yoU+'\x9c\xea\xb4V_\xc8\x1b" 200 2977 "-" "-"
41.78.80.112 - - [05/Sep/2011:12:44:48 +0200] "\xc9\xbf\xc3!{hv:\x84\x83\x03\xeb\x1d\xd0,\xb5" 200 2977 "-" "-"
This is only a development server, but I have allowed all access开发者_如何学JAVA in the .htaccess file, so I don't know what is going on. Any idea?
As long as you keep your Apache patched, there won't be a problem. These are known exploits that hackers (usually through a botnet) are trying on every IP on port 80. It isn't specifically aimed at your server, more a 'fire at will' attack, hoping someone runs an older version of Apache which is known to be vulnerable against such attacks.
It seems bots are trying known vulnerabilities/exploits on your development server to find any vulnerability.
You can ignore them if you wish but in my opinion, the right move is blocking those IPs or restrict access to your development server.
精彩评论