On Wed, 2009-09-16 at 22:08 +0200, Jean-Pierre van Melis wrote: > I would like to sanitize url's so I will not see these kind of entries in my > log again. > Does anyone knows what he's trying to do? > They are traveling through my reverse proxy and are passed on to my > lighttpd-server. I think they are some kind of hacking attempts. > > Can someone please advice? > > This is part of my lighttpd log (replaced my domain with mydomain.com) the IP > is real. > 119.202.149.89.in-addr.arpa name = saugnapf.piracy-insi.de. > > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:10 +0200] "GET /imdb > HTTP/1.1" 200 22077 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:14 +0200] "GET /name/[%5E > HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:15 +0200] "GET > /%5C%22/wga%5C%22 HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:16 +0200] "GET /title/[%5E > HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:18 +0200] "GET > /%5C%22%22.$site, HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:19 +0200] "GET /([%5E > HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:22 +0200] "GET /%5C%22%22); > HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; > SV1)" > 89.149.202.119 mydomain.com - [16/Sep/2009:19:36:27 +0200] "GET > /%5C/title%5C/tt(%5Cd+)%5C/.*%5C HTTP/1.1" 404 345 "-" "Mozilla/4.0 > (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
They are looking for weak spots. You can't realistically filter them out unless you know exactly what you would like to block - there's too many of them. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
