Bash displaying gibberish after specific incoming request2019 Community Moderator ElectionWhat type of terminal to support if implementing a terminal emulator?Replace log file without affecting “Redirection of stdin and stdout” using nohupSyslog to console, drawbacks?How to examine POST request over HTTPS?loop curl get request bashDisplaying and updating a counter in bashAdding Text After Specific Line of File in Bash Scriptget value after specific wordReplace string after last dot in bashTrace apache server activity for a specific http requestadd a header to incoming http request in a serverDoes Bash imitate Locale-Specific Translation from C?bash curl post request set timeout

Extending the spectral theorem for bounded self adjoint operators to bounded normal operators

Filling the middle of a torus in Tikz

Why has "pence" been used in this sentence, not "pences"?

Offered money to buy a house, seller is asking for more to cover gap between their listing and mortgage owed

Why did the EU agree to delay the Brexit deadline?

Indicating multiple different modes of speech (fantasy language or telepathy)

How much character growth crosses the line into breaking the character

Can I sign legal documents with a smiley face?

Will adding a BY-SA image to a blog post make the entire post BY-SA?

why `nmap 192.168.1.97` returns less services than `nmap 127.0.0.1`?

Should I stop contributing to retirement accounts?

Bob has never been a M before

Journal losing indexing services

Are lightweight LN wallets vulnerable to transaction withholding?

Longest common substring in linear time

Is it possible to have a strip of cold climate in the middle of a planet?

How does the reference system of the Majjhima Nikaya work?

Global amount of publications over time

Has Darkwing Duck ever met Scrooge McDuck?

Does a 'pending' US visa application constitute a denial?

Drawing ramified coverings with tikz

Can I use my Chinese passport to enter China after I acquired another citizenship?

How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?

Can we have a perfect cadence in a minor key?

Bash displaying gibberish after specific incoming request

2019 Community Moderator ElectionWhat type of terminal to support if implementing a terminal emulator?Replace log file without affecting “Redirection of stdin and stdout” using nohupSyslog to console, drawbacks?How to examine POST request over HTTPS?loop curl get request bashDisplaying and updating a counter in bashAdding Text After Specific Line of File in Bash Scriptget value after specific wordReplace string after last dot in bashTrace apache server activity for a specific http requestadd a header to incoming http request in a serverDoes Bash imitate Locale-Specific Translation from C?bash curl post request set timeout

I set up a new, basic Linux server (CentOS in this case) just for testing purposes. In there, without any firewalls and all that I'm running a Python web application. Basically I type python run.py and have the application on foreground, while the application itself is run on some port like 8080, so in web browser I use I just type my_public_ip_addr:8080 and use it just fine. All this happens over SSH from my laptop.

Now, I left my laptop open for a while, and when I came back, the shell was displaying something like this:

83.20.238.86 - - [13/Mar/2019 08:54:43] "GET / HTTP/1.1" 200 -
87.122.83.97 - - [13/Mar/2019 11:55:30] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] code 400, message Bad request syntax ('x16x03x01x00xfcx01x00x00xf8x03x03(xd3FMxf5x0eLox17xa3|x1f8xca~#x07xc1x1f&&x14x19x11x10:x824xd23nAx00x00x8cxc00xc0,xc02xc0.xc0/xc0+xc01xc0-x00xa5x00xa3x00xa1x00x9fx00xa4x00xa2x00xa0x00x9exc0(xc0$xc0x14xc0')
176.32.33.145 - - [13/Mar/2019 12:08:36] "��(M�L⎺�≠8#�&&:�4┼A��▮�←�2�↓�/�→�1�↑���������(�$��" 4▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "GET / HTTP/1↓1" 2▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] c⎺de 4▮▮← └e⎽⎽▒±e B▒d ⎼e─┤e⎽├ ⎽≤┼├▒│ ('│16│▮3│▮1│▮▮│°c│▮1│▮▮│▮▮│°8│▮3│▮3│92│8e│°7│9e│1▒│▒2│1e│°8│°bb^│1b│d1│▒1│1e│d2│d1^│1e/└│96_(│beU│▮4│8d≥│d7⎻│°e│▮▮│▮▮│8c│c▮▮│c▮←│c▮2│c▮↓│c▮/│c▮→│c▮1│c▮↑│▮▮│▒5│▮▮│▒3│▮▮│▒1│▮▮│9°│▮▮│▒4│▮▮│▒2│▮▮│▒▮│▮▮│9e│c▮(│c▮$│c▮│14│c▮')
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "���������b^[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ^C
[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ┌⎺±⎺┤├
C⎺┼┼ec├☃⎺┼ ├⎺ 1▮4↓248↓36↓8 c┌⎺⎽ed↓
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ ec▒⎺ '▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬'
▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬
▒d▒└@±⎽:·$

You can see 3 last "normal" GET requests to /, but then it begins. I know it can be fixed (link1 or link2) and these were some scanning bots, but my question is:

How does it work, that incoming request broke my terminal?

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

1

Can you run cat -vet on that log file and show us the lines from 12:08:36 and 14:55:55 ? There might be a Ctrl-N in there. en.wikipedia.org/wiki/Shift_Out_and_Shift_In_characters

– Mark Plotnick
Mar 13 at 17:09

1

It's possible that someone can guess the byte sequence that was printed, but it might help diagnose the precise byte sequence if you post a hex dump of the bytes that were sent to the terminal. eg: python run.py | tee run.log followed by hexdump -C run.log

– Philip Couling
Mar 13 at 17:10

Hi @MarkPlotnick, thanks for your comment. The thing is that I don't have those strings in any logfile, it just copy-pasted content straight from my terminal output

– adamczi
Mar 13 at 18:50

@PhilipCouling thanks for your suggestion, but as I wrote above, it has already happened, so I can only run it again and wait for the next try.

– adamczi
Mar 13 at 18:52

1

while I think JdeBP has a very good point in their answer, I'm voting to close this is as non-reproducible, because like the previous comments say, answering the question about the "bad character" would require seeing the actual data and you said you don't have that.

– ilkkachu
Mar 13 at 19:24

|
show 1 more comment

Now, I left my laptop open for a while, and when I came back, the shell was displaying something like this:

83.20.238.86 - - [13/Mar/2019 08:54:43] "GET / HTTP/1.1" 200 -
87.122.83.97 - - [13/Mar/2019 11:55:30] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] code 400, message Bad request syntax ('x16x03x01x00xfcx01x00x00xf8x03x03(xd3FMxf5x0eLox17xa3|x1f8xca~#x07xc1x1f&&x14x19x11x10:x824xd23nAx00x00x8cxc00xc0,xc02xc0.xc0/xc0+xc01xc0-x00xa5x00xa3x00xa1x00x9fx00xa4x00xa2x00xa0x00x9exc0(xc0$xc0x14xc0')
176.32.33.145 - - [13/Mar/2019 12:08:36] "��(M�L⎺�≠8#�&&:�4┼A��▮�←�2�↓�/�→�1�↑���������(�$��" 4▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "GET / HTTP/1↓1" 2▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] c⎺de 4▮▮← └e⎽⎽▒±e B▒d ⎼e─┤e⎽├ ⎽≤┼├▒│ ('│16│▮3│▮1│▮▮│°c│▮1│▮▮│▮▮│°8│▮3│▮3│92│8e│°7│9e│1▒│▒2│1e│°8│°bb^│1b│d1│▒1│1e│d2│d1^│1e/└│96_(│beU│▮4│8d≥│d7⎻│°e│▮▮│▮▮│8c│c▮▮│c▮←│c▮2│c▮↓│c▮/│c▮→│c▮1│c▮↑│▮▮│▒5│▮▮│▒3│▮▮│▒1│▮▮│9°│▮▮│▒4│▮▮│▒2│▮▮│▒▮│▮▮│9e│c▮(│c▮$│c▮│14│c▮')
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "���������b^[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ^C
[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ┌⎺±⎺┤├
C⎺┼┼ec├☃⎺┼ ├⎺ 1▮4↓248↓36↓8 c┌⎺⎽ed↓
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ ec▒⎺ '▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬'
▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬
▒d▒└@±⎽:·$

You can see 3 last "normal" GET requests to /, but then it begins. I know it can be fixed (link1 or link2) and these were some scanning bots, but my question is:

How does it work, that incoming request broke my terminal?

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

1

Can you run cat -vet on that log file and show us the lines from 12:08:36 and 14:55:55 ? There might be a Ctrl-N in there. en.wikipedia.org/wiki/Shift_Out_and_Shift_In_characters

– Mark Plotnick
Mar 13 at 17:09

1

It's possible that someone can guess the byte sequence that was printed, but it might help diagnose the precise byte sequence if you post a hex dump of the bytes that were sent to the terminal. eg: python run.py | tee run.log followed by hexdump -C run.log

– Philip Couling
Mar 13 at 17:10

Hi @MarkPlotnick, thanks for your comment. The thing is that I don't have those strings in any logfile, it just copy-pasted content straight from my terminal output

– adamczi
Mar 13 at 18:50

@PhilipCouling thanks for your suggestion, but as I wrote above, it has already happened, so I can only run it again and wait for the next try.

– adamczi
Mar 13 at 18:52

1

while I think JdeBP has a very good point in their answer, I'm voting to close this is as non-reproducible, because like the previous comments say, answering the question about the "bad character" would require seeing the actual data and you said you don't have that.

– ilkkachu
Mar 13 at 19:24

|
show 1 more comment

Now, I left my laptop open for a while, and when I came back, the shell was displaying something like this:

83.20.238.86 - - [13/Mar/2019 08:54:43] "GET / HTTP/1.1" 200 -
87.122.83.97 - - [13/Mar/2019 11:55:30] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] code 400, message Bad request syntax ('x16x03x01x00xfcx01x00x00xf8x03x03(xd3FMxf5x0eLox17xa3|x1f8xca~#x07xc1x1f&&x14x19x11x10:x824xd23nAx00x00x8cxc00xc0,xc02xc0.xc0/xc0+xc01xc0-x00xa5x00xa3x00xa1x00x9fx00xa4x00xa2x00xa0x00x9exc0(xc0$xc0x14xc0')
176.32.33.145 - - [13/Mar/2019 12:08:36] "��(M�L⎺�≠8#�&&:�4┼A��▮�←�2�↓�/�→�1�↑���������(�$��" 4▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "GET / HTTP/1↓1" 2▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] c⎺de 4▮▮← └e⎽⎽▒±e B▒d ⎼e─┤e⎽├ ⎽≤┼├▒│ ('│16│▮3│▮1│▮▮│°c│▮1│▮▮│▮▮│°8│▮3│▮3│92│8e│°7│9e│1▒│▒2│1e│°8│°bb^│1b│d1│▒1│1e│d2│d1^│1e/└│96_(│beU│▮4│8d≥│d7⎻│°e│▮▮│▮▮│8c│c▮▮│c▮←│c▮2│c▮↓│c▮/│c▮→│c▮1│c▮↑│▮▮│▒5│▮▮│▒3│▮▮│▒1│▮▮│9°│▮▮│▒4│▮▮│▒2│▮▮│▒▮│▮▮│9e│c▮(│c▮$│c▮│14│c▮')
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "���������b^[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ^C
[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ┌⎺±⎺┤├
C⎺┼┼ec├☃⎺┼ ├⎺ 1▮4↓248↓36↓8 c┌⎺⎽ed↓
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ ec▒⎺ '▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬'
▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬
▒d▒└@±⎽:·$

You can see 3 last "normal" GET requests to /, but then it begins. I know it can be fixed (link1 or link2) and these were some scanning bots, but my question is:

How does it work, that incoming request broke my terminal?

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

Now, I left my laptop open for a while, and when I came back, the shell was displaying something like this:

83.20.238.86 - - [13/Mar/2019 08:54:43] "GET / HTTP/1.1" 200 -
87.122.83.97 - - [13/Mar/2019 11:55:30] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] "GET / HTTP/1.1" 200 -
176.32.33.145 - - [13/Mar/2019 12:08:36] code 400, message Bad request syntax ('x16x03x01x00xfcx01x00x00xf8x03x03(xd3FMxf5x0eLox17xa3|x1f8xca~#x07xc1x1f&&x14x19x11x10:x824xd23nAx00x00x8cxc00xc0,xc02xc0.xc0/xc0+xc01xc0-x00xa5x00xa3x00xa1x00x9fx00xa4x00xa2x00xa0x00x9exc0(xc0$xc0x14xc0')
176.32.33.145 - - [13/Mar/2019 12:08:36] "��(M�L⎺�≠8#�&&:�4┼A��▮�←�2�↓�/�→�1�↑���������(�$��" 4▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "GET / HTTP/1↓1" 2▮▮ ↑
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] c⎺de 4▮▮← └e⎽⎽▒±e B▒d ⎼e─┤e⎽├ ⎽≤┼├▒│ ('│16│▮3│▮1│▮▮│°c│▮1│▮▮│▮▮│°8│▮3│▮3│92│8e│°7│9e│1▒│▒2│1e│°8│°bb^│1b│d1│▒1│1e│d2│d1^│1e/└│96_(│beU│▮4│8d≥│d7⎻│°e│▮▮│▮▮│8c│c▮▮│c▮←│c▮2│c▮↓│c▮/│c▮→│c▮1│c▮↑│▮▮│▒5│▮▮│▒3│▮▮│▒1│▮▮│9°│▮▮│▒4│▮▮│▒2│▮▮│▒▮│▮▮│9e│c▮(│c▮$│c▮│14│c▮')
176↓32↓33↓145 ↑ ↑ [13/M▒⎼/2▮19 14:55:55] "���������b^[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ^C
[⎺⎼▒┼±e@ce┼├⎺⎽↑⎺⎼▒┼±e ⎺⎼▒┼±e_±c]$ ┌⎺±⎺┤├
C⎺┼┼ec├☃⎺┼ ├⎺ 1▮4↓248↓36↓8 c┌⎺⎽ed↓
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ 
▒d▒└@±⎽:·$ ec▒⎺ '▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬'
▒e┌┌⎺ ⎽├▒c┐ ⎺┴e⎼°┌⎺┬
▒d▒└@±⎽:·$

You can see 3 last "normal" GET requests to /, but then it begins. I know it can be fixed (link1 or link2) and these were some scanning bots, but my question is:

How does it work, that incoming request broke my terminal?

bash string http

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

edited Mar 14 at 10:55

asked Mar 13 at 16:41

adamczi

1315

asked Mar 13 at 16:41

adamczi

1315

asked Mar 13 at 16:41

adamczi

1315

1

Can you run cat -vet on that log file and show us the lines from 12:08:36 and 14:55:55 ? There might be a Ctrl-N in there. en.wikipedia.org/wiki/Shift_Out_and_Shift_In_characters

– Mark Plotnick
Mar 13 at 17:09

1

It's possible that someone can guess the byte sequence that was printed, but it might help diagnose the precise byte sequence if you post a hex dump of the bytes that were sent to the terminal. eg: python run.py | tee run.log followed by hexdump -C run.log

– Philip Couling
Mar 13 at 17:10

Hi @MarkPlotnick, thanks for your comment. The thing is that I don't have those strings in any logfile, it just copy-pasted content straight from my terminal output

– adamczi
Mar 13 at 18:50

@PhilipCouling thanks for your suggestion, but as I wrote above, it has already happened, so I can only run it again and wait for the next try.

– adamczi
Mar 13 at 18:52

1

while I think JdeBP has a very good point in their answer, I'm voting to close this is as non-reproducible, because like the previous comments say, answering the question about the "bad character" would require seeing the actual data and you said you don't have that.

– ilkkachu
Mar 13 at 19:24

|
show 1 more comment

1

Can you run cat -vet on that log file and show us the lines from 12:08:36 and 14:55:55 ? There might be a Ctrl-N in there. en.wikipedia.org/wiki/Shift_Out_and_Shift_In_characters

– Mark Plotnick
Mar 13 at 17:09

1

It's possible that someone can guess the byte sequence that was printed, but it might help diagnose the precise byte sequence if you post a hex dump of the bytes that were sent to the terminal. eg: python run.py | tee run.log followed by hexdump -C run.log

– Philip Couling
Mar 13 at 17:10

Hi @MarkPlotnick, thanks for your comment. The thing is that I don't have those strings in any logfile, it just copy-pasted content straight from my terminal output

– adamczi
Mar 13 at 18:50

@PhilipCouling thanks for your suggestion, but as I wrote above, it has already happened, so I can only run it again and wait for the next try.

– adamczi
Mar 13 at 18:52

1

while I think JdeBP has a very good point in their answer, I'm voting to close this is as non-reproducible, because like the previous comments say, answering the question about the "bad character" would require seeing the actual data and you said you don't have that.

– ilkkachu
Mar 13 at 19:24

Can you run cat -vet on that log file and show us the lines from 12:08:36 and 14:55:55 ? There might be a Ctrl-N in there. en.wikipedia.org/wiki/Shift_Out_and_Shift_In_characters

– Mark Plotnick
Mar 13 at 17:09

It's possible that someone can guess the byte sequence that was printed, but it might help diagnose the precise byte sequence if you post a hex dump of the bytes that were sent to the terminal. eg: python run.py | tee run.log followed by hexdump -C run.log

– Philip Couling
Mar 13 at 17:10

Hi @MarkPlotnick, thanks for your comment. The thing is that I don't have those strings in any logfile, it just copy-pasted content straight from my terminal output

– adamczi
Mar 13 at 18:50

@PhilipCouling thanks for your suggestion, but as I wrote above, it has already happened, so I can only run it again and wait for the next try.

– adamczi
Mar 13 at 18:52

while I think JdeBP has a very good point in their answer, I'm voting to close this is as non-reproducible, because like the previous comments say, answering the question about the "bad character" would require seeing the actual data and you said you don't have that.

– ilkkachu
Mar 13 at 19:24

|
show 1 more comment

1 Answer
1

active

oldest

votes

Let this be a lesson in security. Your program dumps network-supplied input directly to its log, as-is. You dumped the log output directly to a user terminal. You gave attackers out on Internet at large the ability to control output on your terminal.

Pipe your logs through cyclog and multilog or similar, as I explained at https://unix.stackexchange.com/a/505854/5132, so that they go to a set of strictly size-capped, automatically rotated, log files rather than to a terminal. Then read those log files using tools that will sanitize control characters.

The "bad characters" here are well known, and are standardized by ECMA-35 (a.k.a. ISO/IEC 2022) in conjunction with a large registry of character sets. Your terminal emulator implements two switchable portions of the 8-bit character set, known as "GL" and "GR". Various standard control characters and escape sequences switch these two amongst four designated character sets, known as "G0", "G1", "G2", and "G3". These four are in turn mapped to actual character sets by further escape sequences.

The set of byte sequences that can mess up your output is rather large. There are more than just ␎ and ␏, as question comments would lead you to believe. There are four possible shifts of two shiftable areas, and locking and single shifts. The C1 control characters for shifting have two representations. Then there are just under two hundred possible mapped character sets for each of the four shifts, each with their own escape sequence.

It's quite a complex system, and if you are at this point thinking "Surely it's better to just use Unicode?" you will not be the first. The inventors of mosh made it a selling point that their terminal emulator does not implement any of this character set switching. Neither does my console-terminal-emulator. Our terminal emulators simply will not get into these difficulties. Markus Kuhn has been encouraging dropping ISO 2022 character set switching since 1999.

搜尋此網誌

Ttyjfyk

1 Answer
1

Further reading

Your Answer

Post as a guest

1 Answer
1

1 Answer
1

Further reading

Further reading

Further reading

Further reading

Post as a guest

Popular posts from this blog

Frič See also Navigation menuinternal link

1 Answer 1

Further reading

Your Answer

Sign up or log in

Post as a guest

Post as a guest

1 Answer 1

1 Answer 1

Further reading

Further reading

Further reading

Further reading

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Frič See also Navigation menuinternal link

1 Answer
1

1 Answer
1

1 Answer
1