[Dshield] Help Me Sort this Out (Apache Logs)

David Cary Hart DShield at TQMcube.com
Wed Apr 5 18:42:18 GMT 2006


On Wed, 05 Apr 2006 14:07:18 -0400
"Johannes B. Ullrich" <jullrich at sans.org> opined:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> 
> I can think of two options:
> 
> - - Someone looking for some kind of open proxy?
> 
> - - A bad link on your site to
>   /https:www.oag...
>   (vs. just 'https' without preceeding slash)
> 
> I assume 'www.oag.state.tx.us' is not your site?
> 
That's a safe assumption.
> 
BTW, it's always the same user agent as well and there is never a
referrer string. Also the page download order is exactly the same. The
clients are diverse. Their domains include optonline.com,
charter.com, and others. The cited example is a European web host:

88.208.194.64 - -  [05/Apr/2006:12:57:00 0400]
"GET /https://www.oag.state.tx.us/forms/cpd/tide.php HTTP/1.1" 302
288 "-" Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -

While this wastes bandwidth, it's not putting the server in peril.
This is an intellectual exercise in contrast to an urgent security
issue.
-- 
Our DNSRBL - 
           Eliminate Spam: http://www.TQMcube.com
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php


More information about the list mailing list