From owner-freebsd-questions@FreeBSD.ORG Thu Mar 10 21:09:40 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34510106564A for ; Thu, 10 Mar 2011 21:09:40 +0000 (UTC) (envelope-from peter@vfemail.net) Received: from vfemail.net (dotsevenfive.vfemail.net [69.11.239.75]) by mx1.freebsd.org (Postfix) with ESMTP id BB6F58FC08 for ; Thu, 10 Mar 2011 21:09:39 +0000 (UTC) Received: (qmail 40486 invoked by uid 89); 10 Mar 2011 21:09:37 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with SMTP; 10 Mar 2011 21:09:37 -0000 Received: (qmail 40428 invoked by uid 89); 10 Mar 2011 21:09:20 -0000 Received: from unknown (HELO www-52-2.vfemail.net) (vfemail@172.16.100.52) by FreeQueue with SMTP; 10 Mar 2011 21:09:20 -0000 Received: (qmail 68255 invoked by uid 89); 10 Mar 2011 21:09:22 -0000 Received: by simscan 1.4.0 ppid: 68248, pid: 68252, t: 0.1982s scanners:none Received: from unknown (HELO Bacchus.vfemail.net) (cGV0ZXJAdmZlbWFpbC5uZXQ=@67.101.12.44) by 172.16.100.52 with ESMTPA; 10 Mar 2011 21:09:22 -0000 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 10 Mar 2011 16:08:39 -0500 To: "freebsd-questions@freebsd.org" From: peter@vfemail.net In-Reply-To: <6e1mefd4hyttote912acah2p.1299788054452@email.android.com> References: <6e1mefd4hyttote912acah2p.1299788054452@email.android.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <20110310210940.34510106564A@hub.freebsd.org> X-Mailman-Approved-At: Thu, 10 Mar 2011 22:24:00 +0000 Subject: RE: Nonsensical Web Log Entries X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 21:09:40 -0000 I'm still kind of confused about why Apache doesn't say "what in the world are you talking about" when these bizarre requests arrive, but there's no indication that anything untoward is occurring. Perhaps newer versions do. I'm using what's probably a really old installation. -------- At 03:33 PM 3/10/2011, Michael J. Kearney wrote: >How is your research going along? No harm no foul, right? Did you find what you had expected to find or some other anomoly? I'm stuck with these packets trying to reverse engineer the software that rendered them... lol > >"peter@vfemail.net" wrote: > > >I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you. > >-------- > > >At 05:57 PM 3/9/2011, Michael J. Kearney wrote: >>I don't know if I got through the last time but you ... could... add to but not take away from your operational matrices by writing it to a file. Using tcpdump to anylize the traffic on your webserver, It might clear up some of the confusion. >> >>tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 > fale >> >>You can also read some of the output data. >> >>Eg, here are some of my logs: >> >>168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] "GET /index.php?domain=fixitbot&tld=com&lookup=%3E%3E HTTP/1.1" 200 5413 "-" "Mozilla >>/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" >> >>The query is 8,223 bytes and logged as 5,413 bytes ? >> >>The only logical concusion is that the header data is false. Unfortunately the RAW data does not reveal anything more than that. Maybe you will have better luck .. and p.s. I was hanging out with my android earlier, I hope this helps. >> >> >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of peter@vfemail.net >>Sent: Wednesday, March 09, 2011 3:40 PM >>To: freebsd-questions@freebsd.org >>Subject: Re: Nonsensical Web Log Entries >> >>At 03:02 PM 3/9/2011, peter@vfemail.net wrote: >>>At 03:06 PM 3/9/2011, Robert Bonomi wrote: >>>>> From owner-freebsd-questions@freebsd.org Wed Mar 9 10:40:23 2011 >>>>> Date: Wed, 09 Mar 2011 09:57:03 -0500 >>>>> To: freebsd-questions@freebsd.org >>>>> From: peter@vfemail.net >>>>> Subject: Nonsensical Web Log Entries >>>>> >>>>> >>>>> I was looking at my Web log this morning, and a bunch of nonsensical >>>>> entries like these caught my attention: >>>>> >>>>> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)" >>>>> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>>>> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 HTTP/1.0" 404 3485 "http://www.wingclips.com/" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)" >>>>> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 "http://www.cashsoldier.com/VerifyerLevel.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>>>> >>>>> Is my FreeBSD box serving as some kind of Web proxy? >>>> >>>>Your box is _not_ doing the proxying. that's why it's signalling errors >>>>for those requests. >>>> >>>>The perpetrators are _hoping_ you are running a misconfigured proxying front- >>>>end. >>> >>>Does this entry change your conclusion: >>> >>> 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET http://images.google.com/ HTTP/1.1" 200 13134 "-" "-" >>> >> >>Here's another entry that's too bizarre for words: >> >> 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] "\x16\x03\x01" 200 13107 "-" "-" >> >> >> >>------------------------------------------------- >>This message sent via VFEmail.net >>http://www.vfemail.net >>$14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > >------------------------------------------------- >This message sent via VFEmail.net >http://www.vfemail.net >$14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" ------------------------------------------------- This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas!