Strange Error logs - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Strange Error logs

yaashul

3:47 pm on Aug 3, 2011 (gmt 0)

10+ Year Member

Top Contributors Of The Month

I'm getting very strange logs in error_log since last 2 month. I found out about more than 30000 different IP have generated these logs in last 1 month.

[Wed Aug 03 16:37:04 2011] [error] [client 193.253.141.81] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/rahul, referer: file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/
[Wed Aug 03 16:37:07 2011] [error] [client 193.253.141.80] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/rahul, referer: file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/
[Wed Aug 03 16:37:35 2011] [error] [client 171.240.146.167] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/saurabh, referer: file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/
[Wed Aug 03 16:37:57 2011] [error] [client 46.57.155.108] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/saurabh, referer: file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/
[Wed Aug 03 16:38:07 2011] [error] [client 171.240.146.167] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/saurabh, referer: file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/

I used pixazza (an ad network which provide images on ads) and getting these errors since the day I removed that code. The problem is all those location are for images and they r real except folder names are in Capital letter rather than lower case letter.

Is someone else having the same issue?

lucy24

6:56 pm on Aug 3, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Question: What is the real-life error? That is, are they failing to get files that you want them to get, OR are they asking for files that you don't want them to ask for?

One solution involves a rewrite (probably fairly straightforward if the referer is always the same). The other solution means looking around a bit more and finding the one file you forgot to delete.

yaashul

7:13 pm on Aug 3, 2011 (gmt 0)

10+ Year Member

Top Contributors Of The Month

They are failing to get file because they are asking file which has different case and linux is case sensitive....

I really dont want to give them access to those files...

Refer is different most of the time... but in case I narrow down the refer what wud the rewrite statment?

lucy24

7:28 pm on Aug 3, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Oh, phooey. In your posted list of five examples from five different urls the referer is always

file:///Applications/Install/4D6D93E4-E17C-E011-986B-78E7D1FA76F8/Install/

Was that just coincidence? Do you have any legitimate referers that look similar?

Come to think of it, what's a file doing as a referer? Are you sure you didn't miss something when you deleted?

yaashul

3:01 am on Aug 4, 2011 (gmt 0)

10+ Year Member

Top Contributors Of The Month

few more such errors

[Thu Aug 04 03:56:17 2011] [error] [client 97.83.91.47] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/xlmpdt/rahul, referer: file:///Applications/Install/58B637C2-CF66-E011-81D2-78E7D1FA76F8/Install/
[Thu Aug 04 03:48:58 2011] [error] [client 75.30.123.11] File does not exist: /var/www/vhosts/mywebsitename/httpdocs/uploads/2010/aug/25/rachel bilson, referer: file:///Applications/Install/58B637C2-CF66-E011-81D2-78E7D1FA76F8/Install/

clearly this file referer is different in this case. I didn't leave anything behind as I did one thing I surf my all pages with my ip and try to see any error related to it with my ip and couldn't find any error.

Pixazza caches images of a website when it serve ads on images. This has to be it. They caches images which exist but they cached images in wrong case.

lucy24

4:03 am on Aug 4, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Pixazza caches images of a website when it serve ads on images. This has to be it. They caches images which exist but they cached images in wrong case.

But if you deleted the program why are they still asking for files?

You could block the requests by setting the condition

%{HTTP_REFERER} ^file:///

since you'd never get a legitimate request where the referer was a file, would you? But I still think it's an odd format. It's what you get when you're browsing local files. Is there a top-level directory on your HD called Applications containing an /Install/ subdirectory?

Have you looked for leftover javascript? That's what did me in when I deleted piwik. Everything else was gone but I forgot to get rid of every last bit of script pointing to the no-longer-existing files.

tangor

5:21 am on Aug 4, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Gotta ask... have you cleared your PERSONAL REGISTRY (since most of us check our own sites way too many times)... or have you .htaccess denied that string? Nothing wrong with a nice 403 entry in the few hundred bytes...

yaashul

11:42 am on Aug 4, 2011 (gmt 0)

10+ Year Member

Top Contributors Of The Month

Lucy the statement shud be something like that?

RewriteCond %{HTTP_REFERER} ^file:/// [NC]
RewriteRule ^.* - [F,L]

Yep...I have checked it... no problem with my personal pc... it has to something to do with pixazza adn etwork.

lucy24

7:34 pm on Aug 4, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I'd try that. But for the "pattern" part of the rule you just need . (a single dot) because all you're saying is "any input whatsoever".

Once you've said [F] you don't need [L] but it doesn't do any harm.

have you cleared your PERSONAL REGISTRY (since most of us check our own sites way too many times)

Hidden advantage to using an obscure browser: I can globally delete anything containing the element "Camino" before even looking :)

Whenever I've done something I'm uneasy about-- like breathing in the vicinity of my .htaccess file-- I glance at my log directory about half an hour later to make sure the Error Log isn't suddenly bloating beyond all sense. Especially if it's consistently got the same timestamp as the Access Log.

yaashul

4:41 am on Aug 5, 2011 (gmt 0)

10+ Year Member

Top Contributors Of The Month

Lucy i dont understand ur point... where shud I put this . (a single dot)?

lucy24

6:43 am on Aug 5, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

RewriteRule ^.* - [F,L]

All you need is

RewriteRule . - [F]

The opening anchor is unnecessary since you're not giving a specific text that has to come at the beginning. And the * is meaningless because it just says "the user requested something or nothing"-- and obviously they requested something, or the file wouldn't be here :) The [L] means "stop here" and is usually an essential part of any rewrite. But the [F] conveys the same information, so the [L] isn't needed.

In English: [F] means "Drop dead!" [F,L] means "Drop dead and then stop what you're doing."

The reference to Camino was in response to tangor's comment about the personal registry. And the part about glancing at your error log-- you don't even have to open it, just confirm that it's an appropriate size-- is generic advice whenever you've done something with your htaccess.