Date: Wed, 9 Mar 2011 17:57:36 -0500 From: "Michael J. Kearney" <mkearney@nvita.org> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: Nonsensical Web Log Entries Message-ID: <0A2D7DF01CEBB144ACA1A79F588BD239044CE0AE65B4@SQUIRRELSERVER.nvita.org> In-Reply-To: <20110309204107.49F37106566B@hub.freebsd.org> References: <20110309152546.54D93106564A@hub.freebsd.org> <201103092006.p29K664k013470@mail.r-bonomi.com> <7.1.0.9.2.20110309150206.1ed21c20@vfemail.net> <20110309204107.49F37106566B@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't know if I got through the last time but you ... could... add to but= not take away from your operational matrices by writing it to a file. Usin= g tcpdump to anylize the traffic on your webserver, It might clear up some = of the confusion. tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 > fale You can also read some of the output data. Eg, here are some of my logs: 168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] "GET /index.php?domain=3Dfix= itbot&tld=3Dcom&lookup=3D%3E%3E HTTP/1.1" 200 5413 "-" "Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" The query is 8,223 bytes and logged as 5,413 bytes ? The only logical concusion is that the header data is false. Unfortunately = the RAW data does not reveal anything more than that. Maybe you will have b= etter luck .. and p.s. I was hanging out with my android earlier, I hope th= is helps. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@f= reebsd.org] On Behalf Of peter@vfemail.net Sent: Wednesday, March 09, 2011 3:40 PM To: freebsd-questions@freebsd.org Subject: Re: Nonsensical Web Log Entries At 03:02 PM 3/9/2011, peter@vfemail.net wrote: >At 03:06 PM 3/9/2011, Robert Bonomi wrote: >>> From owner-freebsd-questions@freebsd.org Wed Mar 9 10:40:23 2011 >>> Date: Wed, 09 Mar 2011 09:57:03 -0500 >>> To: freebsd-questions@freebsd.org >>> From: peter@vfemail.net >>> Subject: Nonsensical Web Log Entries >>> >>> >>> I was looking at my Web log this morning, and a bunch of nonsensical >>> entries like these caught my attention: >>> >>> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.c= om/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT = 5.1; SV1)" >>> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET http://makeabank.co= m/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window= s NT 5.1; SV1)" >>> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET http://join1.winh= undred.com/affiliate/link.php?ref=3D35840&productid=3D7178 HTTP/1.0" 404 34= 85 "http://www.wingclips.com/" "Mozilla/4.0 (compatible; > MSIE 6.0; Window= s NT 5.1; SV1)" >>> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET http://www.tosunma= il.com/proxyheader.php HTTP/1.0" 301 313 "http://www.cashsoldier.com/Verify= erLevel.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>> >>> Is my FreeBSD box serving as some kind of Web proxy? >> >>Your box is _not_ doing the proxying. that's why it's signalling errors >>for those requests. >> >>The perpetrators are _hoping_ you are running a misconfigured proxying fr= ont- >>end. > >Does this entry change your conclusion: > > 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET http://images.goo= gle.com/ HTTP/1.1" 200 13134 "-" "-" > Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] "\x16\x03\x01" 200 13= 107 "-" "-" ------------------------------------------------- This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org= "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0A2D7DF01CEBB144ACA1A79F588BD239044CE0AE65B4>