[Dshield] Help Me Sort this Out (Apache Logs)

Johannes B. Ullrich jullrich at sans.org
Wed Apr 5 18:07:18 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


I can think of two options:

- - Someone looking for some kind of open proxy?

- - A bad link on your site to
  /https:www.oag...
  (vs. just 'https' without preceeding slash)

I assume 'www.oag.state.tx.us' is not your site?





David Cary Hart wrote:
> I keep seeing this over and over again for weeks now. Different
> clients from different providers. It always starts with a get of the
> entire site. Then I get the following (identical urls each time -
> with each client - to oag.state.tx.us):
> 
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:00 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/tide.php HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:01 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/zombies.php HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:02 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/bll.png HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:03 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/bp-link.png HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:03 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/ol.png HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:04 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/tl.png HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:05 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/zl.png HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:06 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/origins.php HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:07 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/tide.php HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:08 -0400] "GET /https://www.oag.state.tx.us/forms/cpd/images/zombies.php HTTP/1.1" 302 288 "-" "Java/1.4.1_04"
> 


- --

- -------------------
Johannes B. Ullrich, Ph.D
Chief Research Officer
SANS Institute
http://isc.sans.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENAdWPNuXYcm/v/0RAwFAAKCCZ8EbBob5nRp/TZ1PAU0gtVlQigCcCty6
rejxOKTTw2/NFGl59p9jaTM=
=wic8
-----END PGP SIGNATURE-----


More information about the list mailing list