Security Incidents mailing list archives
RE: is this a recon, or just some browser weirdness?
From: "Robert Moss" <Robert.Moss () psinet telstra co uk>
Date: Thu, 18 Nov 2004 16:51:34 -0000
Hi, The HEAD requests may be due to a caching proxy server checking datestamps to see if the copy it holds locally is still fresh. I wouldn't be surprised if they are using a caching proxy server. I'm not sure if FireFox's own caching does the HEAD requests too, maybe someone else can jump in? ru-RU is Russian Language, in the same way that en-US or en-UK is the English language (American or UK versions) The GET requests on /index.html and / may be due to the webpage they are accessing having links as such The requests to reportspec.php and reportspec.php_files are when someone using IE or FireFox/Mozilla doing a 'Save Page As' as a Full page (inclusive of gif/jpg/html/css/js etc files), that's why you are seeing those requests. You can try it yourself.. Hope that helps you! Rob Moss -----Original Message----- From: Kirby Angell [mailto:kangell () alertra com] Sent: 18 November 2004 02:31 To: Incidents List Subject: is this a recon, or just some browser weirdness? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My web logfile has these strange entries coming from the same IP address, all relatively close together, but not so close that it looks automated: GET /spotcheckframe.php?device_id=557202&cnt=8 HEAD /spotcheck.php GET /spotcheck.php_files/header_top.jpeg GET / POST /login.php GET /index.html GET /reportspec.php GET /reportspec.php_files/header_top.jpeg GET /viewdevices.php GET /viewdevices.php_files/header_top.jpeg This is the browser ID: "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7) Gecko/20040803 Firefox/0.9.3" Things I don't get: 1) Why the "HEAD" request for the page you just got the full version of (a page that they requested several times before)? 2) Why request "/" and then "/index.html"? They would have had to manually type "/index.html", there isn't a link to it on our site I don't think. 3) What is with the mangled file names right after the correct name is requested (e.g. "reportspec.php" followed by "reportspec.php_files/header_top.jpeg")? 4) Where did "header_top.jpeg" come from anyway, the file on our server is ".jpg", not ".jpeg"? 5) What is the "ru-RU" add-in for FireFox? If anyone can shed some light on this I would appreciate it. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBnAlG21unUZAE9MARAtEuAJ9YbtjrZzBshKUPHm7MUKoDn5a50ACfV2A3 Lpuvd/tC+EGgyRDclJ6OIus= =f/tA -----END PGP SIGNATURE-----
Current thread:
- is this a recon, or just some browser weirdness? Kirby Angell (Nov 18)
- Re: is this a recon, or just some browser weirdness? Martin Mačok (Nov 19)
- <Possible follow-ups>
- RE: is this a recon, or just some browser weirdness? Steven Trewick (Nov 18)
- RE: is this a recon, or just some browser weirdness? Robert Moss (Nov 18)