"Robin Faichney" <[EMAIL PROTECTED]> wrote: > Sorry, what it's actually saying is that it cannot autodetect the > logfile format. What puzzles me is that I don't think the format > has actually changed, though of course my assumption that it's the > formmail.pl exploit lines that are causing the problem could be > wrong -- unfortunately, I didn't note the date of the first error > message, and for reasons I won't bore you with, couldn't get access > to the server for ages. > > This is the first line in the file: > > 63.42.242.74 - - [25/Jan/2002:04:25:39 +0000] "GET /cgi-bin/formmail.pl .... > F%3D"aol:/2000:http:[EMAIL PROTECTED]/~tant/index7.html";>CLI
The log is in NCSA Combined format, which uses double quotes to indicate the beginning and end of the request string. This line has double quotes within the request string, which prevents Analog parsing it. > uture%20mailings,%20please%20reply%20with%20"remove"%20in%20the%20subje More double quotes. > y%20with%20"remove"%20in%20the%20subject%20line.<BR><BR><BR><BR><BR><BR More double quotes. > <BR><BR>pq1p2c<BR>pq1p2c<BR>pq1p2c<BR></FONT></HTML> HTTP/1.1" 200 661 > "-" "Microsoft URL Control - 6.00.8862" > > What do you think? You might be able to get around this by teaching Analog to recognize the first part of these requests, and throwing the rest away as junk. For example, this LOGFORMAT will parse the sample line you provided: LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r/recipient%j HTTP%j" %c %b "%f" "%B") If you also add the LOGFORMAT for NCSA Combined, then Analog should be able to parse the lines that aren't messed up too. LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%f" "%B") Aengus +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
