What is \x (backslash X)? String encoding?


#1

I have some bad requests (400) in my apache error logs, from random IP addresses and all of the time these are unreadable encoded characters starting with \x, but I don’t know what kind of encoding this is. It might be harmless but I want to know what they mean.

What the hell is this?

PS. I meant StRing encoding in the title.

Thanks


#2

I thought sting sounded cooler… :stuck_out_tongue: Anyway corrected the title, and have no idea about the encoding :slight_smile:


#3
||+357395|Reaper-Media said-|| I thought sting sounded cooler... :P Anyway corrected the title, and have no idea about the encoding :-)

I’m pretty sure I’ve seen it before. Something that represents the characters on a very low level, like the root of all encodings… Maybe unmapped keys, or hex, or something extreme.


#4

Hex


#5
jwmcpeak said

Hex

And how do I convert it to ‘english’?


#6
Firsh said
jwmcpeak said

Hex

And how do I convert it to ‘english’?

Sorry, I didn’t read the part where you wanted to know what it meant. I imagine the best way is an Apache log reader. There are a ton of those (and I don’t use Apache), so I don’t know what to recommend.


#7
jwmcpeak said
Firsh said
jwmcpeak said

Hex

And how do I convert it to ‘english’?

Sorry, I didn’t read the part where you wanted to know what it meant. I imagine the best way is an Apache log reader. There are a ton of those (and I don’t use Apache), so I don’t know what to recommend.

Well I have AppServ (a server package for windows), and I open the read Apache Log. I don’t think there is any more to it than that file. It’s already very verbose listing every request that has been made. I cropped the screenshot but there are more information at the beginning of the lines like IP and time stamp. Majority of the requests are in plain english. But these are encrypted or I don’t know.


#8

looks similar to shell code.

i wouldn’t worry, there’s probably some new exploit out for a web server or software so automated bots are going around testing everyones website to see if they can break it.


#9

looks a bit python(ish), no clue what it means though, sorry :frowning:


#10

I’m late to the party, but let’s see if I can help.

The \x**\x** text is ostensibly hex-encoded something. That is, Apache got a sequence of bits which it represents as a series of two-byte (16 bit) codes. If they were all below \x80 it would be ASCII (which it isn’t). If they were all near each other numerically, then it would be some other encoding (which it isn’t). Since those numbers are all over the place, I’m guessing that it is one of two things:

  1. Somebody attacking your server, possibly looking for a buffer overflow.

  2. Somebody hitting an HTTP server with an HTTPS request on the HTTP port. This encrypted stream will not be encoded text and thus will look like random bits.

My guess is for the latter, just from looking at it.

I understand that it is a bit late to help the OP, but I figure if this page is showing up in search results then this answer may help somebody in the future.


#11

Thank you for your ansnwer! Seems like attacks though, not sure why would anyone request using HTTPS on my server/site. Interesting idea though!


#12

Have you tried php online decoders? Might give some answers, maybe http://www.base64decode.org/ ?


#13
Firsh said

Thank you for your ansnwer! Seems like attacks though, not sure why would anyone request using HTTPS on my server/site. Interesting idea though!

I think that there exists a Firefox extension that will try an HTTPS connection before going through HTTP.

greenline said

Have you tried php online decoders? Might give some answers, maybe http://www.base64decode.org/ ?

That is certainly not Base64, which is an ASCII encoding. All ASCII characters are below code point 128 (\x80).