suspcious log entry

Forum Moderators: DixonJones

Message Too Old, No Replies

suspcious log entry

suspicious log entry

lisag

5:42 pm on Jun 9, 2005 (gmt 0)

In the past 2 weeks, we've seen quite a few requests for the bogus page "404_IGNORE_THIS_REQUEST.html" on our main, highly traffic-ed site. In the past few days, there are several requests/minute for this page coming from a variety of IPs. The referer looks like our own site's pages, but our host believes the referer is spoofed.

Another of our sites (less popular) shows plenty of these requests as well, but not nearly as many since it's not terribly popular. Some of our other sites show no such requests. Each site runs on Linux/Apache, but the forums and other content are developed differently (some on content managment, some flat html, and diff. php-based discussion forums). A friend's very popular site is also being hit heavily with requests for "404_IGNORE_THIS_REQUEST.html". And that's hosted with a different company 3,000 miles away from our site's host.

Ideas? Is it a worm? Googling for the page name gives very few results.

hanuman

5:04 am on Jun 10, 2005 (gmt 0)

sounds like a referral spam.....once you were chosen by the bulgarian brothers than you will find all kind of referrals junk on your logs.

ip blocks wont help you as the are using open proxies.

my first advise for you is to make sure your site logs are not public accessible.

than play with .htaccess to block unwanted UA and refferals..... search this board for wealth of tips.....

search google for "blocking referral spam using .htaccess"

lisag

5:36 am on Jun 10, 2005 (gmt 0)

Our logs aren't public. This is sure a weird one because they list our web pages as referer and get nothing out of it. Only lots of 404's for that bogus page name in logs. Must be something more they hope to get out of it... but what.

Should I 403 that filename in .htaccess? Any benefit to that?

boxrec

1:51 am on Jun 11, 2005 (gmt 0)

I'm getting the same thing, but the page seems to be requested amongst normal user activity for the IP?

lisag

2:12 am on Jun 11, 2005 (gmt 0)

Same here boxrec, the requests appear to be among other normal requests from a given IP. This is a strange one...

The requests for the bogus page are escalating and we had about 8K yesterday.

Dijkgraaf

9:29 am on Jun 11, 2005 (gmt 0)

Maybe all they are doing is testing connectivity and response times, as I can't see this achieving anything else.

GaryK

3:39 pm on Jun 12, 2005 (gmt 0)

I've also been noticing an increase in the number of requests for seemingly random files.

Also, I have seen the same pattern wherein a user agent will browse the site trying to look like a human. Then on their exit page they leave a referral for something. Usually a commercial product or service. But sometimes also for things that look like they're still under development and hence not ready for public exposure yet.

lisag

12:19 am on Jun 13, 2005 (gmt 0)

Well, we're now at almost 1 request/second for 404_IGNORE_THIS_REQUEST.html. So I've 403-d that file name using htaccess. Waste less bandwidth at least. Grrr...