[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Funny GETs in www logs.
Adam Funk wrote:
> My www.ducksburg.com/scripts/ directory doesn't have an index page, so
> Apache just gives the "standard list" of its contents. Occasionally
> I see weird sequences such as the following in my www logs:
>
> 22:29:24 GET /
> 22:29:24 GET /scripts/
> 22:29:24 GET /scripts/?C=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F;O=A
> 22:29:25 GET /scripts/?C=http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F;O=A
> 22:29:25 GET /scripts/?C=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F;O=A
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F
> 22:29:25 GET /scripts/?C=M;O=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F
> 22:29:26 GET /scripts/photofilename.perl
> 22:29:26 GET /scripts/?C=M;O=A
> 22:29:26 GET /scripts/?C=N;O=A
>
> That's a real example, edited down for readability. Those entries all
> come from one remote host and give the user-agent "Mozilla/4.0
> (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR
> 1.1.4322)".
>
> What does this mean? Is this a bot looking for some kind of
> vulnerability to post web-spam?
It could be some kind of DAP attempt due to a misconfigured machine.
The individual concerned is using IE7 on an XP box and the parameters
look a bit X.500ish.
The '%3A' %2F' are all character entities e.g. %20 is a space %2F is '/'
%3A is ':' so the second entry is
GET /scripts/
with the parameters
C=http://www.cjp.spb.ru/en/tis/Fleboma/
and
O=A
Without an actual script specified it's a fairly nonsensical HTTP GET
request - there's no script specified to receive the parameters.
Regards
L.
_______________________________________________
Sheffield Linux User's Group
http://www.sheflug.org.uk/mailfaq.html
GNU - The choice of a complete generation