Welcome to WebmasterWorld Guest from 54.205.60.49

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

http://127.0.0.1:4664/preview?event id=

   
1:05 pm on Aug 2, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Today I noticed this in my server logs.

00.0.000.000 - - [02/Aug/2007:04:15:41 -0400] "GET /forum/style_imag HTTP/1.1" 404 2941 "http://127.0.0.1:4664/preview?event_id=131568&schema_id=2&q=runtz5&s=000000000000000000000000000" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

Note that I have edited the suspicious servers IP.

What ever application this is caused many 404 errors while attempting to access the directory listing of images directories.

I searched Goo and Msn but only found server logs referencing it but no word on what software application it is.

2:24 pm on Aug 2, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



"Note that I have edited the suspicious servers IP."

I'm not sure why?
Best thing you could do is deny the range, although that wouldn't remove the long request lines from your logs.

It's just somebody running some type of local script on their machine ""http://127.0.0.1".

There are many different types of scripts in various languages that are run and we never really find an answer to what exactly the script does.
In many instances we're able to determine a software name, however even that doesn't provide what the script is actually doing or "looking for".

3:43 pm on Aug 2, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



"Note that I have edited the suspicious servers IP."

I'm not sure why?

I edited the IP address because people here freak out when you use real life examples.

I can deny it using Mod Security. Denying by IP would be inefficient as there are apparently many IP addresses using this software out in the wild.

I was just curious as to what this thing is. It was trying to access a image directory for a forum which is the default images used by thousands of other boards.

5:22 pm on Aug 2, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



frontpage,
The forum practice is to obscure the Class D.

Experience has taught me to take an action against visitors whose procedures are not within the guidelines of acceptable practices.
As a result "should" a visitor or visitors make an attempt to harvest images from my image directory (or any other directory)I would initiate an action aganist both the User Agent and the IP range.
The above makes for sound security, after all, why allow access to a visitor that is either looking for flaws in site (s) or attemtping a hack or harvesting.

Don

12:29 am on Aug 3, 2007 (gmt 0)

5+ Year Member



I had similar question little while ago and the answer was that " 127.0.0.1:4664 is the url for Google Desktop Search"
hth