|
What does it mean "\x80L\x01\x03" 501 in access_log
What does it mean "\x80L\x01\x03" 501
"\x80L\x01\x03" 501 "-" "-" in access_log of apache web-server? |
This is, I think a Nimda worm active on a M$ box looking to infect any available M$ based server it can find. It has no effect on Linux based systems except to eat up bandwidth. error 501 means that it is not implementing the instruction. I get one of these every day.
|
What means M$-server?
At me it is established Linux8. Whether how to check up the passband was narrowed and how to restore her. Except for that I have found out Thu Nov 25 [192.168.0.9] error invalid metod in request x80L\x01\x03 in error_log of apache Record is made at the same time, as in a file access_log. At Mon Nov 29 I have found out, that my web-site does not work: in a browser gives out Internal Server Error. Whether the worm could remove any files? Except for that in error_log such mistakes and notices are found still: cannot remove module mod_userdir.c not found in module list Apache configured -- resuming normal operations Accept mutex: sysvsem (Default: sysvsem) How to restore work of a web-server and a website? |
My apologies it appears that this may be a bug in ssl implementation;
* To: Matthew Wilcox <willy@debian.org> * Subject: Bug#150719: marked as done (apache-ssl isn't working) * From: owner@bugs.debian.org (Debian Bug Tracking System) * Date: Fri, 09 May 2003 06:48:09 -0500 * Cc: Apache maintainers <debian-apache@lists.debian.org>,apache-ssl@packages.qa.debian.org * In-reply-to: <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk> * Message-id: <handler.150719.D150719.10524800646675.ackdone@bugs.debian.org> * Old-return-path: <debbugs@master.debian.org> * References: <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk> <Pine.LNX.4.44.0206221644350.28565-100000@ziedas.ktu.lt> * Sender: Debian BTS <debbugs@master.debian.org> Your message dated Fri, 9 May 2003 12:34:20 +0100 with message-id <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk> and subject line close has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 22 Jun 2002 14:59:05 +0000 >From mindas@ziedas.ktu.lt Sat Jun 22 09:59:05 2002 Return-path: <mindas@ziedas.ktu.lt> Received: from ziedas.ktu.lt [193.219.160.136] (postfix) by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 17LmLx-0000wb-00; Sat, 22 Jun 2002 09:59:05 -0500 Received: from localhost (localhost [127.0.0.1]) by ziedas.ktu.lt (Postfix) with ESMTP id 23179104 for <submit@bugs.debian.org>; Sat, 22 Jun 2002 16:59:03 +0200 (EET) Date: Sat, 22 Jun 2002 16:59:03 +0200 (EET) From: Mindaugas Zaksauskas <mindas@ziedas.ktu.lt> To: submit@bugs.debian.org Subject: apache-ssl isn't working Message-ID: <Pine.LNX.4.44.0206221644350.28565-100000@ziedas.ktu.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Delivered-To: submit@bugs.debian.org Package: apache-ssl Version: 1.3.26.1+1.48-2 It seems, that unstable apache-ssl build isn't working. This is an excerpt from the logs: access.log: ip.ad.dre.ss - - [21/Jun/2002:14:41:12 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:14:41:18 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:14:41:25 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:14:46:49 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:14:51:39 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:26:11 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:26:33 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:26:34 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:26:58 +0200] "\x80L\x01\x03" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:27:36 +0200] "\x80F\x01\x03\x01" 501 - ip.ad.dre.ss - - [21/Jun/2002:15:39:08 +0200] "\x80F\x01\x03" 501 - error.log: [Fri Jun 21 15:38:34 2002] [notice] Accept mutex: sysvsem (Default: sysvsem) [Fri Jun 21 15:38:37 2002] [error] [client 195.22.190.64] Invalid method in request .F.. [Fri Jun 21 15:39:08 2002] [error] [client 195.22.190.64] Invalid method in request .F.. [Fri Jun 21 15:39:54 2002] [error] [client 195.22.190.64] Invalid method in request .F.. System: Debian Woody (testing), with apache, apache-common and apache-ssl packages from unstable branch. I tried to connect via https with Galleon and Netscape 4.7 (https://host.domain.tld). When reverted back to apache 1.3.24-3, everything went well again. mindas@delfinas:~$ uname -a Linux delfinas 2.4.18-pre4 #5 Fri Jan 18 14:55:00 EET 2002 i686 unknown libc6 version is 2.2.5-6. Let me know if you need any other info. -- Mindaugas Zaksauskas Do a google search for this error as there are a number of articles on the subject. |
Can you give me more concrete recommendations what to do?
|
It appears that this has something to do with ssl and your httpd.conf and perhaps virtual hosting. Could you tell us in more detail about when and how this is happening.
|
I work as the system administrator in firm 2 months. The firm has a website on the Internet www.credo-capital.com. It works under management apache which is established on Linux9 (kernel 2.4). All this time the site worked normally. But on Monday, on November, 29, when I tried to load a site by web-browser (Opera 7.54) on a workstation which is in a local network, I have received mistake Internal Server Error on the screen.
I tried to overload a computer and service httpd (/etc/rc.d/init.d/httpd graceful). But it has not helped. I have seen log-files and something have found: /usr/local/apache/logs/access_log 192.168.0.9 - - 25 Nov 17:16 "\x80L\x01\x03" 501 192.168.0.9 - - 25 Nov 17:16 "\x80L\x01\x03" 501 "-" "-" /usr/local/apache/logs/error_log Thu Nov 25 [192.168.0.9] error invalid metod in request x80L\x01\x03 cannot remove module mod_userdir.c not found in module list Apache configured - resuming normal operations Accept mutex: sysvsem (Default: sysvsem) 192.168.0.9 IP-address in LAN /var/www/sites/credo-capital.com/logs/error_log Mon Nov 29 09:50 2004 [error] [client 207.46.98.75] File does not exist:/var/www/sites/... Mon Nov 29 09:50 2004 [error] mod_ruby: error in ruby /var/www/sites/... 'connect': could not connect to server: connection refused (SQL::ConnError) Is the server running on host localhost and accepting TCP/IP connection on port 5432? There 3 sites in/var/www/sites/: credo-capital.com, mail.credo-capital.com, tc.credo-capital.com. tc.credo-capital.com works quite good. My friend (sysadmin too) has advised me to start postgresql on the basis read in /var/www/sites/credo-capital.com/logs/error_log I tried to start /etc/rc.d/init.d/postgresql start But has received Checking postgresql installation: starting postgresql service: FindExec: invalid binary "/usr/bin/postgres" Fatal 1:/usr/bin/postmaster: could not locate executable, bailing out... failed |
I think you must start a thorough investigation and see if you have been broken into. Here is a report of a similar instance in July 2004. You need to check your auth.log and syslog and see if there are any strange entries there. There are a number of threads on what to do if this has occurred in the security section of LQ. Basically if you find that someone has gained enrty (perhaps through a php script) you are going to have to take the server down and do a clean re-install. From the reports you are getting with the processes you have tried things don't look too good.
|
| All times are GMT -5. The time now is 11:51 AM. |