|
|||
Strange httpd log entry
I have a webserver. It gets a very small amount of traffic and the httpd log has pretty consistent entries. Tonight I noticed an entry that was much longer than usual. It made me think of an article I read about hex representations of IP addresses and the like. I've put up two lines from the log here since I can't yet post URLs. Hope they wrap OK:
Typical: 121.222.115.203 - - [24/Nov/2010:20:13:45 -0700] "GET /Gallery/Garden/swiggle.css HTTP/1.1" 404 224 "http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg.html" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; AskTB5.6)" What is this about?: 121.222.115.203 - - [24/Nov/2010:20:13:44 -0700] "GET /Gallery/Garden/2009/12garden_edging.jpg HTTP/1.1" 200 414853 "http://www.google.com.au/imgres?imgurl=http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg&imgrefurl=http://216.241.45.95/Gallery/Garden/2009/12garden_edging.jpg.html&usg=__C9NZn_6Zv-wj2tagmvErGPNXDTA=&h=648&w=864&sz=406&hl=en&start= 332&zoom=1&tbnid=SJD2aiNa83hv2M:&tbnh=145&tbnw=170 &prev=/images%3Fq%3Dgarden%2Bedging%26um%3D1%26hl%3Den%26 biw%3D1287%26bih%3D470%26tbs%3Disch:10%2C10118&um= 1&itbs=1&iact=hc&vpx=840&vpy=96&dur=374&hovh=194&h ovw=259&tx=151&ty=114&ei=RtTtTPaDCYS8lQeM0eDKDA&oe i=R9LtTK-7MoWGuQOOhrWRCg&esq=8&page=29&ndsp=12&ved=1t:429,r :10,s:332&biw=1287&bih=470" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; .NET4.0C; AskTB5.6)" Is that second line something to worry about? thx, tf |
|
|||
It's really pointless to monitor your logs for all suspicious activity, it happens, mostly they probe for common scripts (..phpmyadmin/wordpress/etc) and see if there is any misconfiguration.
Some others attempt various forms of code/form injection.. or look for cross-site scripting (XSS) vulnerabilities. In this case, the long string in this request is the "referral" from whomever was browsing the site, they found your picture on Google Images, it looks malformed but not overly suspicious. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DNS host entry on the Slave server | ccc | General software and network | 3 | 24th June 2009 01:09 AM |
httpd problem or something else | c0mrade | Other BSD and UNIX/UNIX-like | 6 | 15th January 2009 09:19 PM |
httpd -DNOHTTPACCEPT | starbuck | FreeBSD General | 9 | 23rd August 2008 12:14 PM |
httpd.conf | Snoop1990 | General software and network | 5 | 29th July 2008 04:30 AM |