LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-01-2004, 03:13 AM   #1
ukrainet
Member
 
Registered: Nov 2004
Posts: 108

Rep: Reputation: 15
What does it mean "\x80L\x01\x03" 501 in access_log


What does it mean "\x80L\x01\x03" 501
"\x80L\x01\x03" 501 "-" "-" in access_log of apache web-server?
 
Old 12-01-2004, 03:17 AM   #2
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
This is, I think a Nimda worm active on a M$ box looking to infect any available M$ based server it can find. It has no effect on Linux based systems except to eat up bandwidth. error 501 means that it is not implementing the instruction. I get one of these every day.
 
Old 12-01-2004, 03:48 AM   #3
ukrainet
Member
 
Registered: Nov 2004
Posts: 108

Original Poster
Rep: Reputation: 15
What means M$-server?
At me it is established Linux8. Whether how to check up the passband was narrowed and how to restore her.
Except for that I have found out
Thu Nov 25 [192.168.0.9] error invalid metod in request x80L\x01\x03 in error_log of apache
Record is made at the same time, as in a file access_log. At Mon Nov 29 I have found out, that my web-site does not work: in a browser gives out Internal Server Error. Whether the worm could remove any files? Except for that in error_log such mistakes and notices are found still:
cannot remove module mod_userdir.c not found in module list
Apache configured -- resuming normal operations
Accept mutex: sysvsem (Default: sysvsem)

How to restore work of a web-server and a website?
 
Old 12-01-2004, 04:51 AM   #4
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
My apologies it appears that this may be a bug in ssl implementation;

* To: Matthew Wilcox <willy@debian.org>
* Subject: Bug#150719: marked as done (apache-ssl isn't working)
* From: owner@bugs.debian.org (Debian Bug Tracking System)
* Date: Fri, 09 May 2003 06:48:09 -0500
* Cc: Apache maintainers <debian-apache@lists.debian.org>,apache-ssl@packages.qa.debian.org
* In-reply-to: <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk>
* Message-id: <handler.150719.D150719.10524800646675.ackdone@bugs.debian.org>
* Old-return-path: <debbugs@master.debian.org>
* References: <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk> <Pine.LNX.4.44.0206221644350.28565-100000@ziedas.ktu.lt>
* Sender: Debian BTS <debbugs@master.debian.org>

Your message dated Fri, 9 May 2003 12:34:20 +0100
with message-id <20030509113420.GP29534@parcelfarce.linux.theplanet.co.uk>
and subject line close
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Jun 2002 14:59:05 +0000
>From mindas@ziedas.ktu.lt Sat Jun 22 09:59:05 2002
Return-path: <mindas@ziedas.ktu.lt>
Received: from ziedas.ktu.lt [193.219.160.136] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17LmLx-0000wb-00; Sat, 22 Jun 2002 09:59:05 -0500
Received: from localhost (localhost [127.0.0.1])
by ziedas.ktu.lt (Postfix) with ESMTP id 23179104
for <submit@bugs.debian.org>; Sat, 22 Jun 2002 16:59:03 +0200 (EET)
Date: Sat, 22 Jun 2002 16:59:03 +0200 (EET)
From: Mindaugas Zaksauskas <mindas@ziedas.ktu.lt>
To: submit@bugs.debian.org
Subject: apache-ssl isn't working
Message-ID: <Pine.LNX.4.44.0206221644350.28565-100000@ziedas.ktu.lt>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: submit@bugs.debian.org

Package: apache-ssl
Version: 1.3.26.1+1.48-2

It seems, that unstable apache-ssl build isn't working. This is an excerpt
from the logs:

access.log:

ip.ad.dre.ss - - [21/Jun/2002:14:41:12 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:14:41:18 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:14:41:25 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:14:46:49 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:14:51:39 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:26:11 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:26:33 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:26:34 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:26:58 +0200] "\x80L\x01\x03" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:27:36 +0200] "\x80F\x01\x03\x01" 501 -
ip.ad.dre.ss - - [21/Jun/2002:15:39:08 +0200] "\x80F\x01\x03" 501 -

error.log:

[Fri Jun 21 15:38:34 2002] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Fri Jun 21 15:38:37 2002] [error] [client 195.22.190.64] Invalid method in request .F..
[Fri Jun 21 15:39:08 2002] [error] [client 195.22.190.64] Invalid method in request .F..
[Fri Jun 21 15:39:54 2002] [error] [client 195.22.190.64] Invalid method in request .F..

System: Debian Woody (testing), with apache, apache-common and
apache-ssl packages from unstable branch.

I tried to connect via https with Galleon and Netscape 4.7
(https://host.domain.tld). When reverted back to apache 1.3.24-3,
everything went well again.

mindas@delfinas:~$ uname -a
Linux delfinas 2.4.18-pre4 #5 Fri Jan 18 14:55:00 EET 2002 i686 unknown

libc6 version is 2.2.5-6.

Let me know if you need any other info.

--
Mindaugas Zaksauskas

Do a google search for this error as there are a number of articles on the subject.
 
Old 12-01-2004, 08:25 AM   #5
ukrainet
Member
 
Registered: Nov 2004
Posts: 108

Original Poster
Rep: Reputation: 15
Can you give me more concrete recommendations what to do?
 
Old 12-01-2004, 08:58 AM   #6
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
It appears that this has something to do with ssl and your httpd.conf and perhaps virtual hosting. Could you tell us in more detail about when and how this is happening.
 
Old 12-01-2004, 09:41 AM   #7
ukrainet
Member
 
Registered: Nov 2004
Posts: 108

Original Poster
Rep: Reputation: 15
I work as the system administrator in firm 2 months. The firm has a website on the Internet www.credo-capital.com. It works under management apache which is established on Linux9 (kernel 2.4). All this time the site worked normally. But on Monday, on November, 29, when I tried to load a site by web-browser (Opera 7.54) on a workstation which is in a local network, I have received mistake Internal Server Error on the screen.
I tried to overload a computer and service httpd (/etc/rc.d/init.d/httpd graceful). But it has not helped.
I have seen log-files and something have found:
/usr/local/apache/logs/access_log
192.168.0.9 - - 25 Nov 17:16 "\x80L\x01\x03" 501
192.168.0.9 - - 25 Nov 17:16 "\x80L\x01\x03" 501 "-" "-"
/usr/local/apache/logs/error_log
Thu Nov 25 [192.168.0.9] error invalid metod in request x80L\x01\x03
cannot remove module mod_userdir.c not found in module list
Apache configured - resuming normal operations
Accept mutex: sysvsem (Default: sysvsem)
192.168.0.9 IP-address in LAN
/var/www/sites/credo-capital.com/logs/error_log
Mon Nov 29 09:50 2004 [error] [client 207.46.98.75] File does not exist:/var/www/sites/...
Mon Nov 29 09:50 2004 [error] mod_ruby: error in ruby
/var/www/sites/... 'connect': could not connect to server: connection refused (SQL::ConnError)
Is the server running on host localhost and accepting TCP/IP connection on port 5432?

There 3 sites in/var/www/sites/: credo-capital.com, mail.credo-capital.com, tc.credo-capital.com. tc.credo-capital.com works quite good.

My friend (sysadmin too) has advised me to start postgresql on the basis read in /var/www/sites/credo-capital.com/logs/error_log

I tried to start
/etc/rc.d/init.d/postgresql start
But has received
Checking postgresql installation: starting postgresql service: FindExec: invalid binary "/usr/bin/postgres"
Fatal 1:/usr/bin/postmaster: could not locate executable, bailing out... failed
 
Old 12-01-2004, 10:57 AM   #8
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
I think you must start a thorough investigation and see if you have been broken into. Here is a report of a similar instance in July 2004. You need to check your auth.log and syslog and see if there are any strange entries there. There are a number of threads on what to do if this has occurred in the security section of LQ. Basically if you find that someone has gained enrty (perhaps through a php script) you are going to have to take the server down and do a clean re-install. From the reports you are getting with the processes you have tried things don't look too good.

Last edited by TigerOC; 12-01-2004 at 11:00 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
bash script: using "select" to show multi-word options? (like "option 1"/"o zidane_tribal Programming 7 12-19-2015 02:03 AM
what is "sticky bit mode" , "SUID" , "SGID" augustus123 Linux - General 10 08-03-2012 05:40 AM
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 12:26 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
Can't install "glibmm" library. "configure" script can't find "sigc++-2.0&q kornerr Linux - General 4 05-10-2005 03:32 PM


All times are GMT -5. The time now is 04:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration