Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Unusual url in web logs

Can't determine where traffic is coming from



5:21 pm on Aug 27, 2001 (gmt 0)

Starting August first I started noticing url's of the form:
showing up in logs. Seems to be coming from all over. The user gets the home page. No user agent or referrer is logged. I can't find a developer here who has a bad cgi or jscript. Doesn't seem to be generated in house, as I can't find the IP's of these users accessing any other pages. Steady traffic of a couple hundred thousand hits a day.
Any thoughts on this will be greatly appreciated.



5:27 pm on Aug 27, 2001 (gmt 0)

WebmasterWorld Senior Member agerhart is a WebmasterWorld Top Contributor of All Time 10+ Year Member

welcome to WmW NickR,

I am not 100% on this, but a few weeks ago we were seeing the same amount of hits in our logs from Code Red


5:41 pm on Aug 27, 2001 (gmt 0)

Thanks for your reply and welcome,

Yes, we got the Code Red trash as well. Still am, in fact but it doesn't affect us. I deployed a zero length default.ida because I got tired of seeing it in 404 reports.

However, I realized I should give more info about my architecture. I'm running Solaris 8 and Iplanet 4.1sp7 on these servers, and have been doing so for some time.

Also interesting, I'm seeing roughly the same traffic on ww1.sportsline.com and www.sportsline.com. ww1 is a server farm offive servers and www is a farm of dozens. But they're seeing the same total amount of traffic on these urls (about one every 1.6 seconds).

The duid= often has what looks like a generated password or identifier - always the same for the same IP.



4:14 pm on Aug 28, 2001 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Interesting. I'd follow trouble shooting methods.

a) no referrer? That's very suspect.
It either means it is coming from a post'ed doc or there is something wrong in the logging system. Some browsers would have to leak a referral from time to time.
b) possibly coming from https server? There should be some referral leaking even from there.
c) sure the server is ok? That's where I'd start.

Hundred thousand hits? Someone is ip spoofing you in some sort of dos attack.


9:45 am on Sep 9, 2001 (gmt 0)

Similar problem in my server logs.

This server is is rarely up. Experimental, Apache on Win98. Started out coming from domains from around the world, then started consistantly coming from what appeared to be other customers of my isp. Usually hits me within an hour or so of starting Apache. No unauthorized servers detected. Always HTTP/1.0. Never a referer. Continued after an Fdisk, though the Apache binary stayed the same. The x's seems to be an attempt at a buffer overflow. Curious. Anyone with any info, thanks.

Found it don't bother answering. Strange behavior!

{X's removed)

(edited by: Marcia at 10:31 am (gmt) on Sep. 9, 2001


10:32 am on Sep 9, 2001 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member

my_wan, that's the code red worm. Here's one thread about it, you'll find much more using the site search at page-top on the left.



12:33 am on Sep 10, 2001 (gmt 0)

Yes, I jumped the gun on that post before looking much. I didn't pay much attention to the code red worm running apache. It's funny it didn't start hitting my logs until it's second cycle.

Featured Threads

Hot Threads This Week

Hot Threads This Month