[Dshield] Help Me Sort this Out (Apache Logs)
David Cary Hart
DShield at TQMcube.com
Wed Apr 5 18:42:18 GMT 2006
On Wed, 05 Apr 2006 14:07:18 -0400
"Johannes B. Ullrich" <jullrich at sans.org> opined:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> I can think of two options:
> - - Someone looking for some kind of open proxy?
> - - A bad link on your site to
> (vs. just 'https' without preceeding slash)
> I assume 'www.oag.state.tx.us' is not your site?
That's a safe assumption.
BTW, it's always the same user agent as well and there is never a
referrer string. Also the page download order is exactly the same. The
clients are diverse. Their domains include optonline.com,
charter.com, and others. The cited example is a European web host:
188.8.131.52 - - [05/Apr/2006:12:57:00 0400]
"GET /https://www.oag.state.tx.us/forms/cpd/tide.php HTTP/1.1" 302
288 "-" Java/1.4.1_04" /var/log/httpd/access_log:184.108.40.206 - -
While this wastes bandwidth, it's not putting the server in peril.
This is an intellectual exercise in contrast to an urgent security
Our DNSRBL -
Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
Zombie Graphs: http://www.TQMcube.com/zombies.php
More information about the list