Ncrack attack

Rojer5 years ago

Hi everyone I am not sure if it is a server attack but I am seeing this logs in wrapper.log file

Hi Anton,

Someone is hitting the server and this logs are being generated in wrapper file.
Can you please look through it and tell me

FINEST|1971/0|Service traccar|19-07-27 13:16:31|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@1c1fd9c4[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:31|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@4e0c249c{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:32|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@461a706d[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:32|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@7007a66{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:32|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@465e1501[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:32|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@2ba0cfb1{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:33|[qtp645875534-20803] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@6dfb2a4e[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>7-13&to=2019-07-2...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:33|[qtp645875534-20803] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@28269c72{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:33|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@595b1ed2[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>P/1.1\r\nAuthorizat...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:33|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@b259de0{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@33527c16[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>P/1.1\r\nAuthorizat...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@49de603{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21027] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@6dedc871[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21027] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@3c02d5aa{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@619c9ee7[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:34|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@641cd4b{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:35|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@50379ce0[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>P/1.1\r\nAuthorizat...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:35|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@190d3952{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:35|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@69a31dd[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:35|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@1d5ab35f{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:36|[qtp645875534-20813] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@2cb88b11[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>7-27&to=2019-07-2...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:36|[qtp645875534-20813] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@191ee431{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:36|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@461a706d[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:36|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@730abab3{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@33527c16[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>P/1.1\r\nAuthorizat...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@302a2a02{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21418] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@50379ce0[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>P/1.1\r\nAuthorizat...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21418] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@3ee5f50b{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@592fb884[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>TP/1.1\r\nAuthoriza...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
FINEST|1971/0|Service traccar|19-07-27 13:16:38|[qtp645875534-21360] WARN org.eclipse.jetty.http.HttpParser - badMessage: 400 Illegal character 0x3 for HttpChannelOverHttp@5b6c6ffa{r=0,c=false,a=IDLE,uri=}
FINEST|1971/0|Service traccar|19-07-27 13:16:39|[qtp645875534-21417] WARN org.eclipse.jetty.http.HttpParser - Illegal character 0x3 in state=START for buffer HeapByteBuffer@461a706d[p=1,l=41,c=16384,r=40]={\x03<<<\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie:...h=NCRACK_USER\r\n>>>7-27&to=2019-07-2...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Anton Tananaev5 years ago

It is. You should use something fail2ban if it continues.

Rojer5 years ago

Can you tell me what exactly this guy is doing?

webo5 years ago

There's no IP address in the log, not sure how Fail2Ban will know which host to ban

genci5 years ago

You should fail2ban as reverse proxy and check the access logs for example.