Security Incidents mailing list archives
Re: http activity
From: Michael Katz <mike () responsible com>
Date: Wed, 21 Mar 2001 11:27:24 -0800
On Wednesday, March 21, 2001 12:03 AM, Burak DAYIOGLU wrote:
The remaining three lines are awkward. First, the dates... Last two lines have dates with reverse order (i.e. latter line should have been logged earlier). The time settings on the box seem to be ok as well as no signs of any intrusions.
I would guess that you are running a web server (like Netscape) that caches entries to the log file. This results in log entries that are not in chronological order. This is annoying, but doesn't indicate any evidence of an intrusion.
Furthermore, with the last three lines, it looks like someone has had been in search for an open-proxy what then what the heck is the syntax error in it? I guess http:/ should have been http://, am I missing something? Can someone help me figure out these?
As for the other log entries, I suspect it's a typo. I see this a lot when people cut and paste URLs. Then the URL ends up looking like http://www.webserver.com/http://www.i_really_wanted_to_go_here.com If this person had been looking for a proxy, then the log entry would have probably looked different (/?http:/some-domain.com) and the person probably would have been looking for a box at port 3128 (squid) or port 8080 (socks) - not port 80.
X.X.X.X - - [19/Mar/2001:23:17:39 +0200] "GET /adserver/phpads.php3?what=140x60&n=tr HTTP/1.1" 404 226 X.X.X.X - - [20/Mar/2001:01:52:03 +0200] "GET /"http:/some-domain.com", HTTP/1.0" 404 217 X.X.X.X - - [20/Mar/2001:03:54:36 +0200] "GET /"http:/some-domain.com", HTTP/1.0" 404 217 X.X.X.X - - [20/Mar/2001:03:43:14 +0200] "GET /"http:/some-domain.com", HTTP/1.0" 404 217
Hope that helps. Michael Katz Responsible Solutions, Ltd. mike () responsible com
Current thread:
- http activity Burak DAYIOGLU (Mar 21)
- Re: http activity Hugo van der Kooij (Mar 21)
- Re: http activity Michael Katz (Mar 21)
- <Possible follow-ups>
- Re: http activity Justin Shore (Mar 21)
- Re: http activity sgtphou (Mar 23)