Apache access log: What's this thing?

Forum Moderators: phranque

Message Too Old, No Replies

Apache access log: What's this thing?

smiddy

10:25 pm on Mar 23, 2005 (gmt 0)

It's kinda bothersome as it just appears as a lone request from the same ip time and again. It accessed my site 6 times in 30 minutes. There is no sign of this ip accessing anything else for the past two weeks, but every now and then this appears:

"GET /favicon.ico HTTP/1.1" 200 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; MSN 9.0;MSN 9.1; MSNbVZ02; MSNmen-us; MSNcOTH; MPLUS)"

sitz

2:19 am on Mar 24, 2005 (gmt 0)

Which IP address?

smiddy

1:55 pm on Mar 24, 2005 (gmt 0)

These two:

141.153.234.199
151.205.151.98

At least 7 times a day they are coming in asking for this favicon file and nothing more.

sitz

12:06 am on Mar 25, 2005 (gmt 0)


bash-2.04$ host 151.205.151.98
98.151.205.151.in-addr.arpa. domain name pointer pool-151-205-151-98.hag.east.verizon.net.


bash-2.04$ whois -h whois.arin.net 151.205.151.98
Verizon Internet Services VIS-151-196 (NET-151-196-0-0-1) 
         151.196.0.0 - 151.205.255.255
Verizon Internet Services VZ-DSLDIAL-HGTWPA-1 (NET-151-205-140-0-1) 
         151.205.140.0 - 151.205.155.255

(note that you could also get this info from GeekTools (among other places); [geektools.com ].

Looks like Verizon DSL IPs. A Google search ([google.com ]) on 'favicon.ico' should tell you what that file is. Honestly, I'd just ignore them. 7 lines in your logs doesn't mean a whole helluva lot. =)

smiddy

12:15 pm on Mar 25, 2005 (gmt 0)

I'm aware of the info you provided. What I'm trying to find out is why it keeps coming back requesting a favicon and nothing more. Is it a browser bug?

sitz

3:15 pm on Mar 25, 2005 (gmt 0)

A quick google turned up this: [magnux.org ], which *may* explain why you're seeing those requests. Then again, it may not. =)

The problem is that there's no easy way to know *for sure* what's going on, since the only data you have to work with is the data that's being sent by the client. They could, for instance, be spoofing the user-agent. Far be it from me to discourage digging and finding the answer, so if you want to dig, please do; random curiosity is what keeps us in this game. =)

(This is fancy way of saying "I don't know, and in my day job, I don't have the time to care unless I'm seeing thousands of these requests in a short period of time, all day, every day). Note that if it's an issue, you can set up a <Location> block to deny access to that file, or simply block the IPs in the kernel or at the switch/router (depending on your environment).

smiddy

4:56 pm on Mar 25, 2005 (gmt 0)

Thanks for the help. I'm more curious than anything. I like to know why about everything. That's my nature. This one is no big deal, just wanted to know why.

sitz

7:37 pm on Mar 25, 2005 (gmt 0)

Yep. Same here. In my current job, I've had to prioritize my curiosity a bit; "here''s the stuff I care about" "here's the stuff that would be neat to know, but isn't enough of an issue for me to have to care about it right now". =)

smiddy

11:29 pm on Mar 25, 2005 (gmt 0)

I can see that in a job. I'm doing the hobby thing. Just learning as I go and a bit of a perfectionist. Needless to say I don't know it all. I had my settings for Apache configured for the first two weeks of go live with directory viewing allowed. Had no idea I was allowing it, but that was the default setting for Apache. A visitor to my site let me know. I guess I deal with nice people.