Msg#: 4546682 posted 6:46 am on Feb 19, 2013 (gmt 0)
I don't usually bother about one-offs, especially when it was literally a single request. But this one made me nervous. The resulting questions are equally divided between robots, Apache and PHP so we'll split the difference.
Verbatim except for a bit of camouflage and a strategically inserted blank space to prevent auto-linking:
where example.org is the target site-- making the request an auto-referer-- and the 85.10. part is the visitor. Yes, it really said .txt. The IP turns out to be Hetzner (..192.0/18), so that part was a no-brainer. But...
#1 what exactly were they asking for? Is that a literal string or does the whole thing collapse to "true" or "false"? Wording exactly as shown, no leading $
#2 how come this ends up with a 200? What would an html file be doing with a query string? I don't have any AddHandler or similar funny business. Is this a config setting at the host's end, or would requests in this form always come through?
#3 where's it getting 3795 bytes? I double-checked site logs: an ordinary request for this page runs right around 1645.
All of which leads to
#4 The short answer of course is "It's up to no good". But beyond that, what exactly was it trying to do? Is this another of those attempted-proxy things?
Postscript. I'm darn glad I took the time to look into this. Closer look at logs led to the unrelated but horrifying discovery that requesting "www.example.org/index.html" results in THREE consecutive redirects. Now fixed. Brr.