Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Mar 2011 15:47:09 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        peter@vfemail.net
Cc:        freebsd-questions@freebsd.org, Robert Bonomi <bonomi@mail.r-bonomi.com>
Subject:   Re: Nonsensical Web Log Entries
Message-ID:  <20110310142433.M68517@sola.nimnet.asn.au>
In-Reply-To: <20110309233148.0F4CF1065771@hub.freebsd.org>
References:  <20110309233148.0F4CF1065771@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 353, Issue 5, Message: 21
On Wed, 09 Mar 2011 15:02:57 -0500 peter@vfemail.net wrote:
 > At 03:06 PM 3/9/2011, Robert Bonomi wrote:
 > >>
 > >> I was looking at my Web log this morning, and a bunch of nonsensical 
 > >> entries like these caught my attention:
 > >>
 > >> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)"
 > >> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
 > >> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 HTTP/1.0" 404 3485 "http://www.wingclips.com/" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)"
 > >> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 "http://www.cashsoldier.com/VerifyerLevel.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 > >>
 > >> Is my FreeBSD box serving as some kind of Web proxy?
 > >
 > >Your box is _not_ doing the proxying.  that's why it's signalling errors
 > >for those requests.
 > >
 > >The perpetrators are _hoping_ you are running a misconfigured proxying front-
 > >end.
 > 
 > Does this entry change your conclusion:
 > 
 >      188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET http://images.google.com/ HTTP/1.1" 200 13134 "-" "-"

No, Robert is right.

Note that the first four you listed were all HTTP/1.0 requests.  The 
ones with anything after the last '/' are 404 (page not found) except 
the last.  Not sure about that 301, do you have a proxyheader.php?

The more recent one is HTTP/1.1 with nothing after the last / so the 
http://images.google.com is ignored, and I expect you may find that 
your home page (ie requests for just '/') serve up 13134 bytes?

Ar least that's what happens here with apache 1.3; here's a few examples 
from a seldom-accessed vhost where lots of requests are bogus, usually 
appearing across multiple vhosts (ie, from a sweep over IP addresses)

24.106.193.92 - - [01/Feb/2011:23:05:21 +1100] "GET http://www.ya.ru:80/ HTTP/1.0" 200 2327 "-" "Mozilla/4.0 (compatible; Synapse)"

(this one fetched the home page, see below)
 
83.20.184.159 - - [02/Feb/2011:10:43:04 +1100] "GET / HTTP/1.1" 403 287 "-" "-"

(requests w/ no referer (sic) and no browser ("-" "-") are denied here)

217.174.232.11 - - [03/Feb/2011:20:31:16 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)"
88.250.12.104 - - [03/Feb/2011:20:36:45 +1100] "GET / HTTP/1.1" 200 2327 "-" "Opera/9.00 (Windows NT 5.1; U; en)"

(accepted requests, this static / page always serves 2327 bytes)

109.61.188.165 - - [05/Feb/2011:20:46:04 +1100] "GET http://www.yahoo.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
84.127.236.75 - - [06/Feb/2011:10:25:53 +1100] "GET http://www.ebay.com/ HTTP/1.1" 403 287 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

(forbidden browser strings &/or IP addresses in $apachedir/access.conf)

91.195.136.10 - - [07/Feb/2011:02:33:55 +1100] "GET http://images.google.com/ HTTP/1.1" 200 2327 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"

Oh look, one just like yours, but with an acceptable browser string .. 
so it got the homepage, attempted proxying request being just ignored.

cheers, Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110310142433.M68517>