3

Can anyone tell me what this means? I'm on Bluehost with a shared server.

[ip]71.63.199.72 [url]HNAP1 [size] 134 [status] 401 [method]GET [protocol] HTTP/1.1 [referring url] My server address

[ip]71.63.199.72 [url]401 [size] 0 [status] 0 [method]\x80w\x01\x03\x01 [protocol] 162 [referring url] none

[ip]141.212.121.10 [url]404 [size] 0 [status] 0 [method]\x16\x03\x01 [protocol] 406 [referring url] none

A hacker has been making my life hell. Any help would be appreciated. How do I stop this? I had to password protect directories but I need to take that off and make sure these hacker's requests are not honored. How do I learn about these request?

Also I have CloudFlare but this guy seems to bypass them. I have no threats in my CloudFlare, but the stuff above shows in my site's 'latest visitor logs'. I'm sure, because of my primitive knowledge, there's something I'm missing.

Any advice appreciated.

TildalWave
  • 10,801
  • 11
  • 46
  • 85
sofia
  • 31
  • 2
  • The attacker probably got your server's IP address before you started using CloudFlare, or he found it just via random scanning (likely not targeting you specifically). If all connections should be coming from CloudFlare (I'm not 100% if they should), then you could use your firewall to limit access to the web server to CloudFlare's addresses. – Kitsune Apr 14 '14 at 03:48
  • @TildalWave Actually, no, that isn't a duplicate. http://security.stackexchange.com/questions/40291/strange-requests-to-web-server shows a peculiar pattern of requests, of which the `\x80w\x01\x03\x01` bit is only one of the characteristics. – Gilles 'SO- stop being evil' Jul 13 '14 at 14:32

1 Answers1

2

The following is part of SSL's initial handshake. If this was a legitimate request, it is likely they were trying to connect with HTTPS to an HTTP server.

\x80w\x01\x03\x01

The HNAP is Home Network Administration Protocol, as outlined in Terry Chia's answer.

Unless you have reason to believe this person has gained unauthorized access, these things are quite normal to see in logfiles. There are thousands of systems throwing bogus requests at the wall and seeing what sticks. I am not telling you to not worry, but that it is common and not a sole indicator of an intrusion.

Community
  • 1
David Houde
  • 5,504
  • 1
  • 27
  • 22