DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2010
thefronny thefronny is offline
Port Guard
 
Join Date: Oct 2008
Posts: 37
Default Strange httpd log entry

I have a webserver. It gets a very small amount of traffic and the httpd log has pretty consistent entries. Tonight I noticed an entry that was much longer than usual. It made me think of an article I read about hex representations of IP addresses and the like. I've put up two lines from the log here since I can't yet post URLs. Hope they wrap OK:

Typical:

121.222.115.203 - - [24/Nov/2010:20:13:45 -0700] "GET /Gallery/Garden/swiggle.css HTTP/1.1" 404 224 "http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg.html" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; AskTB5.6)"

What is this about?:

121.222.115.203 - - [24/Nov/2010:20:13:44 -0700] "GET /Gallery/Garden/2009/12garden_edging.jpg HTTP/1.1" 200 414853 "http://www.google.com.au/imgres?imgurl=http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg&imgrefurl=http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg.html&usg=__C9NZn_6Zv-wj2tagmvErGPNXDTA=&h=648&w=864&sz=406&hl=en&start= 332&zoom=1&tbnid=SJD2aiNa83hv2M:&tbnh=145&tbnw=170 &prev=/images%3Fq%3Dgarden%2Bedging%26um%3D1%26hl%3Den%26 biw%3D1287%26bih%3D470%26tbs%3Disch:10%2C10118&um= 1&itbs=1&iact=hc&vpx=840&vpy=96&dur=374&hovh=194&h ovw=259&tx=151&ty=114&ei=RtTtTPaDCYS8lQeM0eDKDA&oe i=R9LtTK-7MoWGuQOOhrWRCg&esq=8&page=29&ndsp=12&ved=1t:429,r :10,s:332&biw=1287&bih=470" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; AskTB5.6)"

Is that second line something to worry about?

thx,

tf
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

It's really pointless to monitor your logs for all suspicious activity, it happens, mostly they probe for common scripts (..phpmyadmin/wordpress/etc) and see if there is any misconfiguration.

Some others attempt various forms of code/form injection.. or look for cross-site scripting (XSS) vulnerabilities.

In this case, the long string in this request is the "referral" from whomever was browsing the site, they found your picture on Google Images, it looks malformed but not overly suspicious.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS host entry on the Slave server ccc General software and network 3 24th June 2009 01:09 AM
httpd problem or something else c0mrade Other BSD and UNIX/UNIX-like 6 15th January 2009 09:19 PM
httpd -DNOHTTPACCEPT starbuck FreeBSD General 9 23rd August 2008 12:14 PM
httpd.conf Snoop1990 General software and network 5 29th July 2008 04:30 AM


All times are GMT. The time now is 04:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick