[nycbug-talk] (a bit ot) web server weird stuff
George Rosamond
george at ceetonetechnology.com
Tue May 19 14:40:17 EDT 2009
Steve Rieger wrote:
> starting yesterday i see the following in my access logs, and cant seem
> to figure out what the heck is going on,
> using lighttp, got any insight ?
>
> 77.108.102.246 - - [19/May/2009:10:07:10 -0700] "CONNECT
> 205.188.251.43:443 HTTP/1.0" 501 357 "-" "-"
> 77.66.227.146 - - [19/May/2009:10:07:10 -0700] "CONNECT
> 205.188.251.36:443 HTTP/1.0" 501 357 "-" "-"
> 77.66.227.146 - - [19/May/2009:10:07:10 -0700] "CONNECT
> 205.188.251.16:443 HTTP/1.0" 501 357 "-" "-"
> 60.168.252.7 xml.nbcsearch.com - [19/May/2009:10:07:10 -0700] "GET
> http://xml.nbcsearch.com/xml.php?affiliate=searchdao&Terms=food+nutrition&IP=208%2E127%2E94
> %2E89 HTTP/1.0" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows
> 95; Alexa Toolbar)"
> 77.108.102.246 - - [19/May/2009:10:07:10 -0700] "CONNECT
> 205.188.251.31:443 HTTP/1.0" 501 357 "-" "-"
> 59.90.1.66 - - [19/May/2009:10:07:10 -0700] "CONNECT 205.188.251.6:443
> HTTP/1.0" 501 357 "-" "-"
> 59.90.1.66 - - [19/May/2009:10:07:10 -0700] "CONNECT 205.188.251.1:443
> HTTP/1.0" 501 357 "-" "-"
> 113.22.163.156 - - [19/May/2009:10:07:10 -0700] "GET
> http://n31.login.re3.yahoo.com/config/pwtoken_get?login=roseau@snet.net&src=ygodgw&passwd=bc144134bc7b611
> 91e8e2f6c0833364c&challenge=FqJZxsmRe5Eq__AOpETXgvYrGqMd&md5=1 HTTP/1.0"
> 404 345 "-" "MobileRunner-J2ME"
> 117.13.200.239 adserver.adtech.de - [19/May/2009:10:07:10 -0700] "GET
> http://adserver.adtech.de/adiframe/3.0/932/2081232/0/225/ADTECH;target=_blank;grp=%5Bgro
> up%5D HTTP/1.1" 404 345 "http://www.vampirefreaks.com/" "mozilla/5.0
> (windows; u; win98; en-us; rv:1.8.0.7) gecko/20060909 firefox/1.5.0.7"
Weird. . .
Just taking some stabs here, or at least stating the obvious. . .
The only URLs i ever remember seeing in access.logs (in apache or
lighttpd) are connected to bots and spiders for indexing.
Is it possible that users can proxy through this box? Is mod_proxy
enabled in the conf file?
This might shed some light (doh):
http://rubyforge.org/pipermail/typo-list/2005-October/000864.html
(yeah, but you're not getting 200 status codes)
Without looking too closely, is your access log format standard?
Certainly doesn't look like it's the same user proxying, not use based
on http header info. . . I mean chicago hawks hockey and vampire freaks?
. . (gulp)
g
More information about the talk
mailing list