# Encrypted characters in Apache httpd-access.log?



## jayrpowell (Oct 4, 2014)

While reviewing the httpd-access.log file, I will occasionally find in with the various GET and POST requests what appears to be encrypted request strings. For example, a recent request was simply "\xae\xfe\x1f\xef0..." (and so on). Most of the time I see these simply generated a 404, which I don't worry about. Occasionally, I see these generate a 200 (success), which concerns me as I don't know what it successfully got/posted. It there a utility (in FreeBSD or on-line) to convert these encrypted characters back to regular ASCII?
Thanks!


----------



## kpa (Oct 5, 2014)

Those are hex-encoded characters encoded with the \xNN escape convention, not encrypted. Encryption would mean that even with the characters decoded to ascii you couldn't distinguish the text from random noise (one of the more formal definitions of encryption btw).

http://en.wikipedia.org/wiki/Escape_character

I can only guess but those requests are probably done with the intention of bypassing input validation in the www server (in one of the applications running on it) and then trying to exploit known security holes.


----------



## jayrpowell (Oct 5, 2014)

Thank you for the clarification on encryption versus encoding. I (mistakenly) used the terms interchangeably, as it appears the objective was to hide the content and meaning from us while inducing Apache and/or associated programs to give up what we don't want them to give up. Yes, I do understand they are two different things.

Still, I've tried some on-line tools to convert what appears to be the (hex) encoded characters, with no success. As I said, I wasn't too worried about such encoded requests producing 404 errors, it's the ones generating the 200 (success), and I don't know what Apache (or associated programs) has successfully served up.


----------



## kpa (Oct 5, 2014)

The ascii codes for the ones that you gave in your first post are as follows:


```
% python2      
Python 2.7.8 (default, Sep 13 2014, 00:05:10) 
[GCC 4.2.1 Compatible FreeBSD Clang 3.4.1 (tags/RELEASE_34/dot1-final 208032)] on freebsd10
Type "help", "copyright", "credits" or "license" for more information.
>>> [ ord(a) for a in "\xae\xfe\x1f\xef" ]
[174, 254, 31, 239]
>>>
```

Of course those mean nothing unless the context where those characters were going to used in the application inside the web server is known.

Edit: Replaced the code with something more "pythony"  :e


----------

