1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 11:57 pm May 20, 2026

Forum Moderators: open

Message Too Old, No Replies

Obfuscated HTTP Requests - How to decode?

         

WebOpz

1:49 pm on Aug 26, 2021 (gmt 0)

5+ Year Member Top Contributors Of The Month



Hi, I'm getting a bunch of obfuscated HTTP requests that I don't understand how to decode. Examples are:

43.128.9.247 - - [11/Aug/2021:20:16:30 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03N\xE0?\xE9\xF02\x1D\xEB\xEE4\xE3\xD1\xFF\xE2a\x92\xE4\xE1\x01\x90&MZ\xE8\xCB\xF2\xED\xEAc\xE8x] <$'\xF2\x11=\xA0\x1C/\xD0\xE0~\x17\xC2\x1E\x14\xD5\x17" 400 166 "-" "-"
43.128.9.247 - - [11/Aug/2021:20:16:30 +0000] "GET / HTTP/1.1" 404 193 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4 240.111 Safari/537.36"
43.128.9.247 - - [11/Aug/2021:20:26:30 +0000] "\x01\x00\x00\x00 \xBF\x02\x00\x88\x13\x00\x00\x87\x00\x00\x00NIMABIJIAN\x04\x03\x00\x00{\x99Caig\x9C\x03\xC7eB\xC5\x09\xC1\x18a\x11\x1A\x91\x1F\x02\x09cof\x91\xC0\x80sJ5\xD2\x80\xE6\x9A~\xB9\xC7\x83^\x96\xEEN\x16\x96\x96&\xE6\x03\xEA\xBC\x81\x02=\xAC\x10\xFA?7\x03\xC3\xDF\xF7\xE4\x98`p\xE6\x8D\xC1\xA9\x8D\xC6\x06\xDB\xAF\x91\xE7\x82s\xF7\x14H\xD4\xE1W\x9A\x93C\x9E]\xA4\x01#\x03#\x03]\x03c]CC\x05C\x03+S\x03b\xF4\x00\x00/\x9E\x16E" 400 166 "-" "-"
43.128.9.247 - - [11/Aug/2021:20:26:40 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03.\x84\xEFG\x04\x09VFr`\xFB!\xA2\x13\xAC\xEC\x93>\xA3j\xB9\x90\xDCZ-\xB6\xA8.\xE0;\xA2* |\x039 P\x11\xAF\x9E\x15\x8F\x84_4\xCDs#k;\x99\x5Cq+q\xDE\xE4" 400 166 "-" "-"
43.128.9.247 - - [11/Aug/2021:20:26:41 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03A\x9C\xDD\x97R/c" 400 166 "-" "-"

How do I decode these?

not2easy

2:39 pm on Aug 26, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Sorry, the old tools I used for such things are long gone, others may have ideas.

Whatever they are/were requesting, your server called it a "400" which is a bad request.

lucy24

6:16 pm on Aug 26, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The good news is you don’t need to decode them, because your server has correctly identified them as garbage.

The locution \xAA is equivalent to %AA, but the values don’t lead to valid text, so there has been additional hanky-panky going on. (I can say this much because my log-wrangling code includes a bit that converts percent-encoding, and this stuff doesn’t come through as anything intelligible.)

There are times when “Don’t trouble your pretty little head about it” really is the simplest answer. Not the only answer--obviously the robot came in with some intention, undoubtedly malign--but the only one most people need.

Edit: The IP involved currently belongs to Tencent, which--again--may be all we need to know.

tangor

7:28 am on Aug 29, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



While I don't get a ton of these, they appear from time to time. Largely ignored since the ip itself does not actually request any files on site ... thus an utter waste of time and worthy only of the 404 it receives.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 11:57 pm May 20, 2026