Nonsensical Web Log Entries
Ian Smith
smithi at nimnet.asn.au
Thu Mar 10 04:47:15 UTC 2011
In freebsd-questions Digest, Vol 353, Issue 5, Message: 21
On Wed, 09 Mar 2011 15:02:57 -0500 peter at vfemail.net wrote:
> At 03:06 PM 3/9/2011, Robert Bonomi wrote:
> >>
> >> I was looking at my Web log this morning, and a bunch of nonsensical
> >> entries like these caught my attention:
> >>
> >> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)"
> >> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> >> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 HTTP/1.0" 404 3485 "http://www.wingclips.com/" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)"
> >> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 "http://www.cashsoldier.com/VerifyerLevel.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> >>
> >> Is my FreeBSD box serving as some kind of Web proxy?
> >
> >Your box is _not_ doing the proxying. that's why it's signalling errors
> >for those requests.
> >
> >The perpetrators are _hoping_ you are running a misconfigured proxying front-
> >end.
>
> Does this entry change your conclusion:
>
> 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET http://images.google.com/ HTTP/1.1" 200 13134 "-" "-"
No, Robert is right.
Note that the first four you listed were all HTTP/1.0 requests. The
ones with anything after the last '/' are 404 (page not found) except
the last. Not sure about that 301, do you have a proxyheader.php?
The more recent one is HTTP/1.1 with nothing after the last / so the
http://images.google.com is ignored, and I expect you may find that
your home page (ie requests for just '/') serve up 13134 bytes?
Ar least that's what happens here with apache 1.3; here's a few examples
from a seldom-accessed vhost where lots of requests are bogus, usually
appearing across multiple vhosts (ie, from a sweep over IP addresses)
24.106.193.92 - - [01/Feb/2011:23:05:21 +1100] "GET http://www.ya.ru:80/ HTTP/1.0" 200 2327 "-" "Mozilla/4.0 (compatible; Synapse)"
(this one fetched the home page, see below)
83.20.184.159 - - [02/Feb/2011:10:43:04 +1100] "GET / HTTP/1.1" 403 287 "-" "-"
(requests w/ no referer (sic) and no browser ("-" "-") are denied here)
217.174.232.11 - - [03/Feb/2011:20:31:16 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)"
88.250.12.104 - - [03/Feb/2011:20:36:45 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)"
(accepted requests, this static / page always serves 2327 bytes)
109.61.188.165 - - [05/Feb/2011:20:46:04 +1100] "GET http://www.yahoo.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
84.127.236.75 - - [06/Feb/2011:10:25:53 +1100] "GET http://www.ebay.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
(forbidden browser strings &/or IP addresses in $apachedir/access.conf)
91.195.136.10 - - [07/Feb/2011:02:33:55 +1100] "GET http://images.google.com/ HTTP/1.1" 200 2327 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
Oh look, one just like yours, but with an acceptable browser string ..
so it got the homepage, attempted proxying request being just ignored.
cheers, Ian
More information about the freebsd-questions
mailing list