[Dshield] Help Me Sort this Out (Apache Logs)

Cefiar cef at optus.net
Thu Apr 6 01:04:20 GMT 2006


On Thursday 06 April 2006 03:59, David Cary Hart wrote:
> I keep seeing this over and over again for weeks now. Different
> clients from different providers. It always starts with a get of the
> entire site. Then I get the following (identical urls each time -
> with each client - to oag.state.tx.us):
>
> /var/log/httpd/access_log:88.208.194.64 - - [05/Apr/2006:12:57:00 -0400]
> "GET /https://www.oag.state.tx.us/forms/cpd/tide.php HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:01 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/zombies.php HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:02 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/bll.png HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:03 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/bp-link.png HTTP/1.1" 302 288
> "-" "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:03 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/ol.png HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:04 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/tl.png HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:05 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/zl.png HTTP/1.1" 302 288 "-"
> "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:06 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/origins.php HTTP/1.1" 302 288
> "-" "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:07 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/tide.php HTTP/1.1" 302 288
> "-" "Java/1.4.1_04" /var/log/httpd/access_log:88.208.194.64 - -
> [05/Apr/2006:12:57:08 -0400] "GET
> /https://www.oag.state.tx.us/forms/cpd/images/zombies.php HTTP/1.1" 302 
288related:
> "-" "Java/1.4.1_04"

Well, I found this page on your site/domain (tqmcube.com) that contains the 
url (minus the /) - http://tqmcube.com/fss_fight_back.php - via Google.

Could be a badly written robot/spider that is getting confused and assuming 
that because the link doesn't start with http: it's actually local, and 
requesting it as though it's a local page? You might try looking thru the 
access logs and seeing if the addresses that hit these url's fetch robots.txt 
at some point prior to this.

BTW: If you're redirecting the pages yourself (as I see they're returning 
302's) then they should really return 301's. If these are robots, they may 
pick up on the fact that it's actually moved if it's a 301, but not if it's a 
302. This of course assumes that the robot author actually coded them well. 
Of course, if if isn't coded well, it mightn't make a difference, or they may 
even crash (their loss). For more info on why I suggest 301 instead of 302, 
see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html for general info 
on http error codes.

-- 
 Stuart Young - aka Cefiar - cef at optus.net


More information about the list mailing list