Home / server / Questions / 787511
Accepted
IAmJulianAcosta
Asked: 2016-07-02 19:18:29 +0800 CST

Strange characters in nginx log starting with \x

  • 772

I was hacked and checking nginx logs I found several requests like this one:

169.229.3.91 - - [18/Jun/2016:09:42:19 +0000] ")\xE7\xD1?\xD6\x18.\xC0\xCE\xA3\x7FR\xEA~O$\x0BLi\x13\xA0m\xE7\xF0H4\x92\xD6\xBFv\xD2\xDF3\xFCX#T\x0B\xB6\xE4XmU\xEF$\x03\xC9/\xFD\xDEf\x00\x89Prq\x1A\xB5\x13\x0CoGOn" 400 173 "-" "-" `

I suspect of XML-RPC attack generating from my server but I can't confirm it, is there any way to convert that code to human readable text?

security nginx

2 Answers

  1. Best Answer

    No idea about the hack, but to convert the binary you can use printf on the command line, like this:

    printf %b ")\xE7\xD1?\xD6\x18.\xC0\xCE\xA3\x7FR\xEA~O$\x0BLi\x13\xA0m\xE7\xF0H4\x92\xD6\xBFv\xD2\xDF3\xFCX#T\x0B\xB6\xE4XmU\xEF$\x03\xC9/\xFD\xDEf\x00\x89Prq\x1A\xB5\x13\x0CoGOn"

    It is still unreadable, though.

    • 1

  2. Here's a nifty decoder: http://ddecode.com/hexdecoder/

    Not an answer... but, are you using a supported OS and is it fully patched?

    What are the various addon components, like Java, Nginx, database, etc, and are they fully patched?

    What about any other servers you have in the same domain?

    • 0