Find the answer to your Linux question:
Results 1 to 10 of 10
A while ago, I was reviewing my apache weblogs and came across these lines... **.**.199.228 - - [28/Jan/2003:12:21:27 +0000] "CONNECT security.rr.com:25 HTTP/1.0" 405 297 "-" "-" **.**.199.228 - - [28/Jan/2003:12:21:27 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2003
    Posts
    7

    Strange logfile entry


    A while ago, I was reviewing my apache weblogs and came across these lines...


    **.**.199.228 - - [28/Jan/2003:12:21:27 +0000] "CONNECT security.rr.com:25 HTTP/1.0" 405 297 "-" "-"
    **.**.199.228 - - [28/Jan/2003:12:21:27 +0000] "PUT http://security.rr.com:25/ HTTP/1.1" 405 305 "-" "-"

    and

    **.**.194.59 - - [30/Jan/2003:03:41:42 +0000] "GET http://www.outwar.com/page.php?x=81641 HTTP/1.1" 404 280 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"


    Anyone know why these other URLs are appearing in my access file?

  2. #2
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    Same basic log entries described here http://www.security-forums.com/forum...pic.php?t=3232 but that would be yours You took the time to edit your ip but not the log times to the second Mr. drivle


    Now onward and upward, by your post they are old entries and didn't repeat. If this is true then I wouldn't worry about it. If there repeating then repost so we can try to see a pattern in the Kaos and do some searches.

    Did you think you'd put one over on a fellow security guy? That's why I didn't even bother to change my handle. Now in newsgroups is another story.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  3. #3
    Just Joined!
    Join Date
    Mar 2003
    Posts
    7
    I really don't know what your problem is fastlanwan???

    I didn't edit my IP at all. The *** are actually disguising the person who accessed my site.

    I thought it would be 'polite' in case there was a valid reason for this.

    The reason I've posted here - is because I didn't get a satisfactory answer in the other place. I've asked elsewhere as well - and will continue to do so until I understand.

    As for not changing my handle - people called David are often called Dave - hence --> drivle may be driv.... - it doesn't take a rocket scientist to work out who I am.

    Now shall we put this behind us.....?

  4. #4
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    Wow, your really excitable. I was trying to make some light hearted chat. Hence the emoticons. Sorry if you took it the wrong way because that's not how I meant it.

    Now if you read the second paragraph, you'll see I started to answer your question based on the information you gave with a request for more info on your log for a pattern search.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  5. #5
    Just Joined!
    Join Date
    Mar 2003
    Posts
    7
    Hmm...
    Even with emoticons, the nature of the written word can be misconstrued.

    Wow, your really excitable
    Got that right flw, - learn your lesson from an idiot with years of 'substance abuse' behind him!

    Either way, virtual handshake offered...

    Yes it's happened frequently ***.my.ip.*** connect /put - "another site"
    I just can't understand the calling process - and I have been asking everywhere.

  6. #6
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    By "calling process" do you mean "get" or the whole process of get/head/post/put/delete/trace/connect?
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  7. #7
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Take it easy. :smoke:

    Just out of interest, do you have any sort of banners displayed on your website?

    It may be banners, but proberly not.

    Hmm...

    I know the outwar one is basically a site that generates a lot spam, need to do some research.

  8. #8
    Just Joined!
    Join Date
    Mar 2003
    Posts
    7
    No - no banners.

    Sorry - I'm using my own terminology.
    By 'calling' process - I'm referring to the call following the ip - which isn't shown in the logfiles - (as I suppose it's redundant - and just eats up the logs)

    I'm away from my Linux box now - so I can't respond properly but something like..

    ***.***.***.***|?|CONNECT security.rr.com:25 HTTP/1.0" 405 297 "-" "-"

    as I say I'm not at my server now so I can't remember the character "|?|"
    but if you check your apache logs - you'll see what I mean.

    I'll try to respond properly tomorrow when I have all the facts to hand.
    Thanks,
    driv.

  9. #9
    flw
    flw is offline
    Linux Engineer
    Join Date
    Mar 2003
    Location
    U.S.A.
    Posts
    1,025
    You may have already looked here but it's the only semi-detailed log descriptions I found.

    http://httpd.apache.org/docs/logs.html#accesslog

    Covers access, error, rotation, piped and misc log files.
    Dan

    \"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

  10. #10
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    I think the 2 log entries seem to be unrelated, but dont quote me on it

    The first one, from security.rr.com, seems to be Road Runner checking for an open proxy. Their probing info is here:
    http://security.rr.com/probing.htm

    Another Internet User had the same problem, they sent an email to RR, and the response they received can be seen here: http://www.mdlug.org/archives/mdlug/msg07907.html


    With the outwars entry, all i could find was one other internet user who had seen a similer thing is his apache logs see here: http://www.securityfocus.com/archive/75/313267 You could try emailing him, to see if he resolved his issue, SecurityFOCUS did not seem to have any responses to his post.

    Jason

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •