Hacking attempts detected in access log - need help decrypting
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

I've noticed nmap scripting hacking attempts in my access log, and I was curious if anyone knows how to identify what these actually mean. After doing some research all I could come up with was that \x16\x03\x01 is targeting a TLS port. Which is understandable, but is there any way to find out the rest of it and what it's trying to do?

This is nothing major, I just want to satisfy my curiosity. If there's some sort of online decoder that I can plop this into and get an explanation of what it's doing exactly, that would be awesome.

Thanks, and here's the attack:

"\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x11\xC0\xB2*\xEFvi\xFF%:\xE8\xAF\x07X\xBB\xCC\xD0Z\xBCU(\x7F\xCFq\x99Qm\xDFi\x16T\x00\x00$\x13\x01\x13\x03\x13\x02\xC0+\xC0/\xCC\xA9\xCC\xA8\xC0,\xC00\xC0"
"\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x8D\x85\xB1\x17XI\xAC\x0F\x962[W\x7FT\x8B~w\x80i3\x16\x10\xE4o\xF0\xE9\x87\x98\xBC\xB2.\xB5\x00\x00$\x13\x01\x13\x03\x13\x02\xC0+\xC0/\xCC\xA9\xCC\xA8\xC0,\xC00\xC0"
"\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x09si\xB5\x9C\x19\xDD\xF8h\xEA\x9C\x11\x03\xF1u\xB3\x01\xB9"

"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03\x95\x7F\xB8\x9E6\x8B\x16\xB77\x10\xB3\xF7\xDB=\x9Add\x18=\x8Fo\xC2\xDDKlW\xD0\xC3U\x8E\xB6u\x00\x00 \x9A\x9A\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03mv\xF3\xFC\x98&X\xD6\xBC\xDB\xEAy(h\x8AE=hl\x14<|\xE3:_\x1A\x8E\xFA\x83\xA0\x00\x00 jj\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03\xF8\x7F5T\x1B(n\xAC\xEA\xF6\x80i\xAA<\x03\xEDx*\xDFGg\xDF+\xCB3\xD6\xCER\x91Pw\xAC\x00\x00 \xFA\xFA\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03\xCCe\x88K\xFDiG~\xA1\xBED\x5CE\xB0\xF3\xAD\xF2\x8D\x1A\xF1\x95\x03\x1E]\xF7!}\xF7\xF3\xBF\x02\xBF\x00\x00 \xCA\xCA\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03\xCB\xE8\xBF\xE1\x8E\x9D\xC5\x86\xA6\xB4\xB7>)\xCF\xC24\x8B\xC1w\xEC#\x00\xC4"
"\x16\x03\x01\x00\xC6\x01\x00\x00\xC2\x03\x03\x1A\x01\x82\xF2O\xE6\x1Bf\xDDO{\xDD\x81\xEF\xE6I\xD73\x1F\xC1$Um\x9F\xB5\xE7h\xBE\xA6LK\x00\x00 \x1A\x1A\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xCDr\xD6(\xAC\xD0\x9FWk'r\xEC.-\x12\x17\xBDU1\xC7\xA6\x80\x1FvP\xFB\xD7\xBF\xA6L\xD9\x00\x00 \xCA\xCA\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xBF\xD4\xF0g\xD3+\xFC8\xE0\xEC\x1A\xFA\x00\xBE_\xDC\xA6\xEC\xCC\x93\xBE\xD2\xB5\xFC\xA1\x08n\x8CTM\x98\xCC\x00\x00 \xBA\xBA\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03%\x81\xF5\x07PQ,H\xEB
\x91\x22~\x9B\x00\x00 JJ\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03[\xEC2\x85O\xA7\xC3\x1D\xC6Q\xD9\x00\xBE$/\xAB5E@\xC8\x07\x1F\xBB;L\x82\xCCO\xDAy\x1B\x00\x00 ZZ\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC5\xAF%\xE6\x90T\x13[_\x1E\x89\xA9\x08\xC0!<\xAC\xDDQv\xD5\xDE\x93\xA5\x0C\x91P\x8C\x80\xD2Xv\x00\x00 \xCA\xCA\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00"
"\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\x03\xBA\x14\xB0\xDC=\x12(\x9C\xAF\xBFl\x7F\xBFz\xAD9@3\x9E\xFCDk5j\x80\x18n\xEC\xE0\x92O\x00\x00 "

I can try to decode the packets/frames, there are currently a lot of errors in them - these are hex codes and should therefore always have two hexes after each "\x" which is not currently the case. Can you maybe provide a link to the original file?
chesedo 4 months ago
That doesn't look like something caused by nmap... can you post the original log?
slang800 4 months ago
awarded to 5osxcwbf
Tags
security

Crowdsource coding tasks.

2 Solutions


Hello

\x16\x03 seems to be the beginning of a TLS handshake, like if you are connecting to your server using https protocol, but it's not configured to deal with it.
You can have a look at this thread or this one that seems to be like your case.

Do not hesitate if you have any questions

Winning solution

The first answer isn't very helpful, it's just reposting the first couple google results. Assuming your website is configured normally, something else is going on.

I have actually had similar logs a while back, in my case it was an automated scan done by security researchers that were publishing trends on the SSLv3 POODLE vulnerability within OpenSSL.

I will search the article and update this post with an edit so you can hopefully accept my answer and give me the bounty.

edit here ya go;

http://www.joshwieder.net/2015/11/an-explanation-of-webserver-logs-that.html
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

So was the ip in your logs 184.105.139.68?

Basically what you are seeing is binary code for an exploit, the blogger just happened to have had some of the same signatures as both of us have found in our logs. But yeah basically every time an exploit is compiled the binary signature changes. Just blacklist the ip addresses and make sure you keep your software on your server up to date and you should be fine.

View Timeline