Suddenly getting weird referrers
| 2:10 pm on May 11, 2003 (gmt 0)|
I suddenly noticed a huge amount of weird referrers in my logs. Suppose I have directories called /directory, /directory2 and /directory3 in my site. Yesterday, when I peeked at my logs, everything was normal. Today I saw about 100 referrers in form of
and so on.
When I looked at my 404 errors, I noticed the same trend:
and so on.
I've never seen anything like this in my logs before, and all these entries have occurred in a short period of time. What's going on?
| 10:13 pm on May 13, 2003 (gmt 0)|
Could be a human probing your site, or more likely a badly-written robot.
Block the IP address or IP address range just in case it's malicious.
| 5:28 am on May 14, 2003 (gmt 0)|
There's been a few exploits in various web servers that take advantage of bugs in the server's directory handling abilities by confusing it into showing what it shouldn't. eg, going to "http://www.example.com/../../../../etc/" might possibly reveal the contents of a machine's "etc" directory and allow someone to steal a passwd file or something. Maybe some new kiddie scanning tool has come out that looks for something similar and leaves those weird referrers behind?
| 11:00 am on May 13, 2003 (gmt 0)|
typing URLs like this is the first thing a wanna-be hacker does, though a character sequence like ///// looks rather weird (or, more likely, I haven't heard of it yet), but /../../../../ can get you to the top of the directory structure and then straight to /etc/passwd, or, say, /winnnt/system32/cmd.exe.