Re: http activity

[Michael Katz <mike () responsible com>]

On Wednesday, March 21, 2001 12:03 AM, Burak DAYIOGLU wrote:

> The remaining three lines are awkward. First, the dates... Last two
> lines have dates with reverse order (i.e. latter line should have been
> logged earlier). The time settings on the box seem to be ok as well as
> no signs of any intrusions.

I would guess that you are running a web server (like Netscape) that caches entries to the log file.  This results in 
log entries that are not in chronological order.  This is annoying, but doesn't indicate any evidence of an intrusion.

> Furthermore, with the last three lines, it looks like someone has had
> been in search for an open-proxy what then what the heck is the syntax
> error in it? I guess http:/ should have been http://, am I missing
> something?
>
> Can someone help me figure out these?

As for the other log entries, I suspect it's a typo.  I see this a lot when people cut and paste URLs.  Then the URL 
ends up looking like http://www.webserver.com/http://www.i_really_wanted_to_go_here.com  If this person had been 
looking for a proxy, then the log entry would have probably looked different (/?http:/some-domain.com) and the person 
probably would have been looking for a box at port 3128 (squid) or port 8080 (socks) - not port 80.

> X.X.X.X - - [19/Mar/2001:23:17:39 +0200] "GET
> /adserver/phpads.php3?what=140x60&n=tr HTTP/1.1" 404 226
> X.X.X.X - - [20/Mar/2001:01:52:03 +0200] "GET /"http:/some-domain.com",
> HTTP/1.0" 404 217
> X.X.X.X - - [20/Mar/2001:03:54:36 +0200] "GET /"http:/some-domain.com",
> HTTP/1.0" 404 217
> X.X.X.X - - [20/Mar/2001:03:43:14 +0200] "GET /"http:/some-domain.com",
> HTTP/1.0" 404 217

Hope that helps.

Michael Katz
Responsible Solutions, Ltd.
mike () responsible com