Forum Moderators: phranque
Server-wise, we're:
SERVER_PROTOCOL = HTTP/1.1
SERVER_SOFTWARE = Apache/1.3.22 (yeah, it's old)
Does anyone know what any of the following oddities might mean, please? I've Google their various 'parts' without much success. Now, with #1 on the increase on a near-daily basis and server-wide (a new exploit?), I don't know whether to simply stay observant or get concerned. Thank you!
-----
ODDITY #1 (all sites; all the time): /1.1
Host: .neoplus.adsl.tpnet.pl
User-agent: -
Request: /1.1
Response: 400 (a.k.a. Bad Request)
Error:
"[...] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): *"
-----
ODDITY #2 (one site; one time): request 1GET
Host: .dial.bell.ca
User-agent: Opera/9.50 (Windows NT 5.1; U; en)
Request: /sitename.ico (which exists)
Response: 501 (a.k.a. Not Implemented)
Error:
"[...] Invalid method in request 1GET /sitename.ico HTTP/1.1"
-----
ODDITY #3 (one site; all the time): "GET / HTTP/1.1" [home dir]
(Note: This is a regular visitor reading message board pages and posts in a subdir. He has no awareness of Explorer's near-simultaneous calls to the site's home page when he's reading posts. He has no special add-ons. The reload redundancy stopped immediately when he switched to Firefox.)
Host: .cable.ntl.com
User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Requests:
[xx/Jun/2008:12:46:44] [/subdir/page]
[xx/Jun/2008:12:46:46] "GET / HTTP/1.1" [home dir]
[xx/Jun/2008:12:46:51] [/subdir/page]
[xx/Jun/2008:12:46:52] [/subdir/image]
[xx/Jun/2008:12:46:52] "GET / HTTP/1.1"
[xx/Jun/2008:12:47:23] [/subdir/page]
[xx/Jun/2008:12:47:24] "GET / HTTP/1.1"
[xx/Jun/2008:12:47:48] [/subdir/page]
[xx/Jun/2008:12:47:50] "GET / HTTP/1.1"
[xx/Jun/2008:12:48:07] [/subdir/page]
[xx/Jun/2008:12:48:13] [/subdir/page]
[xx/Jun/2008:12:48:14] [/subdir/image]
[xx/Jun/2008:12:48:24] [/subdir/page]
[xx/Jun/2008:12:48:25] "GET / HTTP/1.1"
[xx/Jun/2008:12:53:09] [/subdir/page]
[xx/Jun/2008:12:53:11] "GET / HTTP/1.1"
[xx/Jun/2008:12:53:27] [/subdir/page]
[xx/Jun/2008:12:53:29] "GET / HTTP/1.1"
[xx/Jun/2008:12:53:34] [/subdir/page]
[xx/Jun/2008:12:53:36] [/subdir/page]
[xx/Jun/2008:12:53:43] [/subdir/page]
[xx/Jun/2008:12:53:46] "GET / HTTP/1.1"
Response: 200 (a.k.a. A-OK:)
Error(s):
None
##
[edited by: tedster at 11:00 pm (utc) on June 27, 2008]
[edit reason] format fix [/edit]
Things like #1 and #2 are to be expected -- Many malicious scripts used to scrape sites and harvest information have errors on them that make them easy to spot. #3 is hard to tell -- requires more research.
Jim
See long thread on that subject, already in progress.
At this point, I don't know if he has AVG aboard but the log activity differs significantly from that of the (in)famous ";1813" UA.
[edited by: Pfui at 6:17 pm (utc) on June 27, 2008]
[edited by: tedster at 11:00 pm (utc) on June 27, 2008]
[edit reason] format fix [/edit]
User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
This is not one of the known AVG LinkScanner user-agent strings. They'll likely be changing their UA as a result of the article in the Register, the cited WebmasterWorld thread and threads in other forums, but I' haven't seen any sign of LinkScanner behaviour with a browser UA string yet.
Jim
