Security Incidents mailing list archives

RE: is this a recon, or just some browser weirdness?

From: "Robert Moss" <Robert.Moss () psinet telstra co uk>
Date: Thu, 18 Nov 2004 16:51:34 -0000

Hi,
   The HEAD requests may be due to a caching proxy server checking
datestamps to see if the copy it holds locally is still fresh.  I
wouldn't be surprised if they are using a caching proxy server.  I'm not
sure if FireFox's own caching does the HEAD requests too, maybe someone
else can jump in?

ru-RU is Russian Language, in the same way that en-US or en-UK is the
English language (American or UK versions)

The GET requests on /index.html and /  may be due to the webpage they
are accessing having links as such

The requests to reportspec.php and reportspec.php_files are when someone
using IE or FireFox/Mozilla doing a 'Save Page As' as a Full page
(inclusive of gif/jpg/html/css/js etc files), that's why you are seeing
those requests.  You can try it yourself..

Hope that helps you!
Rob Moss

-----Original Message-----
From: Kirby Angell [mailto:kangell () alertra com] 
Sent: 18 November 2004 02:31
To: Incidents List
Subject: is this a recon, or just some browser weirdness?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My web logfile has these strange entries coming from the same IP
address, all relatively close together, but not so close that it looks
automated:

GET /spotcheckframe.php?device_id=557202&cnt=8
HEAD /spotcheck.php
GET /spotcheck.php_files/header_top.jpeg
GET /
POST /login.php
GET /index.html
GET /reportspec.php
GET /reportspec.php_files/header_top.jpeg
GET /viewdevices.php
GET /viewdevices.php_files/header_top.jpeg

This is the browser ID:

"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7) Gecko/20040803
Firefox/0.9.3"

Things I don't get:

1) Why the "HEAD" request for the page you just got the full version of
(a page that they requested several times before)?
2) Why request "/" and then "/index.html"?  They would have had to
manually type "/index.html", there isn't a link to it on our site I
don't think.
3) What is with the mangled file names right after the correct name is
requested (e.g. "reportspec.php" followed by
"reportspec.php_files/header_top.jpeg")?
4) Where did "header_top.jpeg" come from anyway, the file on our server
is ".jpg", not ".jpeg"?
5) What is the "ru-RU" add-in for FireFox?

If anyone can shed some light on this I would appreciate it.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBnAlG21unUZAE9MARAtEuAJ9YbtjrZzBshKUPHm7MUKoDn5a50ACfV2A3
Lpuvd/tC+EGgyRDclJ6OIus=
=f/tA
-----END PGP SIGNATURE-----

Current thread:

is this a recon, or just some browser weirdness? Kirby Angell (Nov 18)
- Re: is this a recon, or just some browser weirdness? Martin Mačok (Nov 19)
- <Possible follow-ups>
- RE: is this a recon, or just some browser weirdness? Steven Trewick (Nov 18)
- RE: is this a recon, or just some browser weirdness? Robert Moss (Nov 18)