Re: Nonsensical Web Log Entries
I'm just saying... you can add to but not take away from your operational matrices for instance by using tcpdump to anylize the traffic on port 80 ... lol sounds like a foul ball pe...@vfemail.net pe...@vfemail.net wrote: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Nonsensical Web Log Entries
I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you. At 05:57 PM 3/9/2011, Michael J. Kearney wrote: I don't know if I got through the last time but you ... could... add to but not take away from your operational matrices by writing it to a file. Using tcpdump to anylize the traffic on your webserver, It might clear up some of the confusion. tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 fale You can also read some of the output data. Eg, here are some of my logs: 168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] GET /index.php?domain=fixitbottld=comlookup=%3E%3E HTTP/1.1 200 5413 - Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) The query is 8,223 bytes and logged as 5,413 bytes ? The only logical concusion is that the header data is false. Unfortunately the RAW data does not reveal anything more than that. Maybe you will have better luck .. and p.s. I was hanging out with my android earlier, I hope this helps. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of pe...@vfemail.net Sent: Wednesday, March 09, 2011 3:40 PM To: freebsd-questions@freebsd.org Subject: Re: Nonsensical Web Log Entries At 03:02 PM 3/9/2011, pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Nonsensical Web Log Entries
How is your research going along? No harm no foul, right? Did you find what you had expected to find or some other anomoly? I'm stuck with these packets trying to reverse engineer the software that rendered them... lol pe...@vfemail.net pe...@vfemail.net wrote: I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you. At 05:57 PM 3/9/2011, Michael J. Kearney wrote: I don't know if I got through the last time but you ... could... add to but not take away from your operational matrices by writing it to a file. Using tcpdump to anylize the traffic on your webserver, It might clear up some of the confusion. tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 fale You can also read some of the output data. Eg, here are some of my logs: 168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] GET /index.php?domain=fixitbottld=comlookup=%3E%3E HTTP/1.1 200 5413 - Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) The query is 8,223 bytes and logged as 5,413 bytes ? The only logical concusion is that the header data is false. Unfortunately the RAW data does not reveal anything more than that. Maybe you will have better luck .. and p.s. I was hanging out with my android earlier, I hope this helps. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of pe...@vfemail.net Sent: Wednesday, March 09, 2011 3:40 PM To: freebsd-questions@freebsd.org Subject: Re: Nonsensical Web Log Entries At 03:02 PM 3/9/2011, pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Nonsensical Web Log Entries
I'm still kind of confused about why Apache doesn't say what in the world are you talking about when these bizarre requests arrive, but there's no indication that anything untoward is occurring. Perhaps newer versions do. I'm using what's probably a really old installation. At 03:33 PM 3/10/2011, Michael J. Kearney wrote: How is your research going along? No harm no foul, right? Did you find what you had expected to find or some other anomoly? I'm stuck with these packets trying to reverse engineer the software that rendered them... lol pe...@vfemail.net pe...@vfemail.net wrote: I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you. At 05:57 PM 3/9/2011, Michael J. Kearney wrote: I don't know if I got through the last time but you ... could... add to but not take away from your operational matrices by writing it to a file. Using tcpdump to anylize the traffic on your webserver, It might clear up some of the confusion. tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 fale You can also read some of the output data. Eg, here are some of my logs: 168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] GET /index.php?domain=fixitbottld=comlookup=%3E%3E HTTP/1.1 200 5413 - Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) The query is 8,223 bytes and logged as 5,413 bytes ? The only logical concusion is that the header data is false. Unfortunately the RAW data does not reveal anything more than that. Maybe you will have better luck .. and p.s. I was hanging out with my android earlier, I hope this helps. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of pe...@vfemail.net Sent: Wednesday, March 09, 2011 3:40 PM To: freebsd-questions@freebsd.org Subject: Re: Nonsensical Web Log Entries At 03:02 PM 3/9/2011, pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB
Nonsensical Web Log Entries
I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
Idk i have similar entries. Its not a proxy . Remember lot's wife. .. lol pe...@vfemail.net pe...@vfemail.net wrote: I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
My wife will turn into a pillar of salt if she looks at my Web logs? :) So this is normal behavior? The latest entry is: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - This entry says that my Web server handed the person at IP address 188.134.62.20 13,134 bytes of something, correct? What was served? I don't have any Web pages on my Web site with Google's name in it. --- At 12:16 PM 3/9/2011, Michael J. Kearney wrote: Idk i have similar entries. Its not a proxy . Remember lot's wife. .. lol pe...@vfemail.net pe...@vfemail.net wrote: I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
At 02:23 PM 3/9/2011, Bryan H. wrote: On Wed, Mar 9, 2011 at 11:21 AM, pe...@vfemail.net wrote: My wife will turn into a pillar of salt if she looks at my Web logs? :) So this is normal behavior? The latest entry is: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - This entry says that my Web server handed the person at IP address 188.134.62.20 13,134 bytes of something, correct? What was served? I don't have any Web pages on my Web site with Google's name in it. --- At 12:16 PM 3/9/2011, Michael J. Kearney wrote: Idk i have similar entries. Its not a proxy . Remember lot's wife. .. lol pe...@vfemail.net pe...@vfemail.net wrote: I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Probably a standard 404 Not Found response, if I were to guess. Some of these odd requests generate 404 page-not-found errors, some generate 301 redirect messages, but the bizarre result is a 200 response with the indication that real data is being distributed. - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
On Wed, Mar 9, 2011 at 11:21 AM, pe...@vfemail.net wrote: My wife will turn into a pillar of salt if she looks at my Web logs? :) So this is normal behavior? The latest entry is: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - This entry says that my Web server handed the person at IP address 188.134.62.20 13,134 bytes of something, correct? What was served? I don't have any Web pages on my Web site with Google's name in it. --- At 12:16 PM 3/9/2011, Michael J. Kearney wrote: Idk i have similar entries. Its not a proxy . Remember lot's wife. .. lol pe...@vfemail.net pe...@vfemail.net wrote: I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Probably a standard 404 Not Found response, if I were to guess. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
At 03:02 PM 3/9/2011, pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
Am 09.03.2011, 21:40 Uhr, schrieb pe...@vfemail.net: Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - If I do: %telnet localhost 80 and enter: GET / HTTP/1.1 Host: images.google.com I get this in my logfile: 127.0.0.1 images.google.com - [09/Mar/2011:22:06:48 +0100] GET / HTTP/1.1 200 2257 - - My vhost-Setup serves the default host in the requested host is unknown, thus 200 OK. Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - Talking ssl to a non-ssl vhost. Google that one. Regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Nonsensical Web Log Entries
I don't know if I got through the last time but you ... could... add to but not take away from your operational matrices by writing it to a file. Using tcpdump to anylize the traffic on your webserver, It might clear up some of the confusion. tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 fale You can also read some of the output data. Eg, here are some of my logs: 168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] GET /index.php?domain=fixitbottld=comlookup=%3E%3E HTTP/1.1 200 5413 - Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) The query is 8,223 bytes and logged as 5,413 bytes ? The only logical concusion is that the header data is false. Unfortunately the RAW data does not reveal anything more than that. Maybe you will have better luck .. and p.s. I was hanging out with my android earlier, I hope this helps. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of pe...@vfemail.net Sent: Wednesday, March 09, 2011 3:40 PM To: freebsd-questions@freebsd.org Subject: Re: Nonsensical Web Log Entries At 03:02 PM 3/9/2011, pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Mar 9 10:40:23 2011 Date: Wed, 09 Mar 2011 09:57:03 -0500 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Nonsensical Web Log Entries I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - Here's another entry that's too bizarre for words: 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] \x16\x03\x01 200 13107 - - - This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Nonsensical Web Log Entries
In freebsd-questions Digest, Vol 353, Issue 5, Message: 21 On Wed, 09 Mar 2011 15:02:57 -0500 pe...@vfemail.net wrote: At 03:06 PM 3/9/2011, Robert Bonomi wrote: I was looking at my Web log this morning, and a bunch of nonsensical entries like these caught my attention: 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] GET http://www.yahoo.com/ HTTP/1.0 301 294 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] GET http://makeabank.com/faq.cgi HTTP/1.0 404 3485 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 115.225.166.2 - - [09/Mar/2011:09:50:04 -0500] GET http://join1.winhundred.com/affiliate/link.php?ref=35840productid=7178 HTTP/1.0 404 3485 http://www.wingclips.com/; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] GET http://www.tosunmail.com/proxyheader.php HTTP/1.0 301 313 http://www.cashsoldier.com/VerifyerLevel.php; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Is my FreeBSD box serving as some kind of Web proxy? Your box is _not_ doing the proxying. that's why it's signalling errors for those requests. The perpetrators are _hoping_ you are running a misconfigured proxying front- end. Does this entry change your conclusion: 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] GET http://images.google.com/ HTTP/1.1 200 13134 - - No, Robert is right. Note that the first four you listed were all HTTP/1.0 requests. The ones with anything after the last '/' are 404 (page not found) except the last. Not sure about that 301, do you have a proxyheader.php? The more recent one is HTTP/1.1 with nothing after the last / so the http://images.google.com is ignored, and I expect you may find that your home page (ie requests for just '/') serve up 13134 bytes? Ar least that's what happens here with apache 1.3; here's a few examples from a seldom-accessed vhost where lots of requests are bogus, usually appearing across multiple vhosts (ie, from a sweep over IP addresses) 24.106.193.92 - - [01/Feb/2011:23:05:21 +1100] GET http://www.ya.ru:80/ HTTP/1.0 200 2327 - Mozilla/4.0 (compatible; Synapse) (this one fetched the home page, see below) 83.20.184.159 - - [02/Feb/2011:10:43:04 +1100] GET / HTTP/1.1 403 287 - - (requests w/ no referer (sic) and no browser (- -) are denied here) 217.174.232.11 - - [03/Feb/2011:20:31:16 +1100] GET / HTTP/1.1 200 2327 - Opera/9.00 (Windows NT 5.1; U; en) 88.250.12.104 - - [03/Feb/2011:20:36:45 +1100] GET / HTTP/1.1 200 2327 - Opera/9.00 (Windows NT 5.1; U; en) (accepted requests, this static / page always serves 2327 bytes) 109.61.188.165 - - [05/Feb/2011:20:46:04 +1100] GET http://www.yahoo.com/ HTTP/1.1 403 287 - Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) 84.127.236.75 - - [06/Feb/2011:10:25:53 +1100] GET http://www.ebay.com/ HTTP/1.1 403 287 - Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) (forbidden browser strings /or IP addresses in $apachedir/access.conf) 91.195.136.10 - - [07/Feb/2011:02:33:55 +1100] GET http://images.google.com/ HTTP/1.1 200 2327 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E) Oh look, one just like yours, but with an acceptable browser string .. so it got the homepage, attempted proxying request being just ignored. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
