Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Weird apache logs

From: Travis Read <travisr () rave iinet net au>
Date: Wed, 26 Feb 2003 09:57:20 +0800 (WST)

Over the last few days I've noticed a number of weird GET requests in my
apache logs. Has anybody else seen this kind of traffic or have any idea
what's causing it?

66.31.196.92 - - [26/Feb/2003:05:51:24 +0800] "GET
http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
66.31.196.92 - - [26/Feb/2003:05:58:22 +0800] "GET
http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
66.31.196.92 - - [26/Feb/2003:06:03:23 +0800] "GET
http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
66.31.196.92 - - [26/Feb/2003:06:07:23 +0800] "GET
http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
66.31.196.92 - - [26/Feb/2003:06:29:06 +0800] "GET
http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
62.0.128.157 - - [26/Feb/2003:06:40:34 +0800] "GET
http://www.outwar.com/page.php?x=237155&pro=1e14c3925f8337fcb0d9b447f816493d
HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
172.171.210.56 - - [24/Feb/2003:11:55:02 +0800] "GET
http://www.outwar.com/page.php?x=137196&pro=1e14c3925f8337fcb0d9b447f8164
93d  HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
24.147.33.83 - - [24/Feb/2003:20:27:38 +0800] "GET
http://www.outwar.com/page.php?x=309737&pro=1e14c3925f8337fcb0d9b447f816493
d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

65.165.26.221 - - [26/Feb/2003:03:54:14 +0800] "GET http://www.outwar.com/page.php?x=131563 
&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 400 376 "-" "-"

In a 24 hours period:
pluto:/var/log# cat /var/log/apache/access.log | grep www.outwar.com | wc -l
    189

* The traffic is from all over the place (i.e. distributed)
* every now and again the GET request contains a white space after
x=number which generates a different 400 error instead of a 404.

The traffic doesn't hurt my network at all, but it is starting to fill log
files. Are they just doing a probe to see what version of apache I'm
running?

I also noticed this once:
217.106.89.37 - - [25/Feb/2003:10:18:51 +0800] "\x05\x01" 200 889 "-" "-"

The version of apache I'm running:
pluto:/var/log# telnet 0 80
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 26 Feb 2003 01:56:28 GMT
Server: Apache/1.3.26 (Unix) Debian GNU/Linux mod_gzip/1.3.19.1a PHP/4.1.2
mod_perl/1.26
X-Powered-By: PHP/4.1.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.


Kind regards,

------------------------------------------------------------------------------
Travis Read
travisr () staff iinet net au | Level 6, Durack House, 263 Adelaide Terrace
------------------------------------------------------------------------------

" there is a war going on, it's not about who has the most bullets,
         it's about who controls the information " - SNEAKERS


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Previous By Date Next
Previous By Thread Next

Current thread: