Strange logfile entry

[driv]

A while ago, I was reviewing my apache weblogs and came across these lines...


**.**.199.228 - - [28/Jan/2003:12:21:27 +0000] "CONNECT security.rr.com:25 HTTP/1.0" 405 297 "-" "-"
**.**.199.228 - - [28/Jan/2003:12:21:27 +0000] "PUT http://security.rr.com:25/ HTTP/1.1" 405 305 "-" "-"

and

**.**.194.59 - - [30/Jan/2003:03:41:42 +0000] "GET http://www.outwar.com/page.php?x=81641 HTTP/1.1" 404 280 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"


Anyone know why these other URLs are appearing in my access file?

[flw]

Same basic log entries described here http://www.security-forums.com/forum...pic.php?t=3232 but that would be yours You took the time to edit your ip but not the log times to the second Mr. drivle


Now onward and upward, by your post they are old entries and didn't repeat. If this is true then I wouldn't worry about it. If there repeating then repost so we can try to see a pattern in the Kaos and do some searches.

Did you think you'd put one over on a fellow security guy? That's why I didn't even bother to change my handle. Now in newsgroups is another story.

[driv]

I really don't know what your problem is fastlanwan???

I didn't edit my IP at all. The *** are actually disguising the person who accessed my site.

I thought it would be 'polite' in case there was a valid reason for this.

The reason I've posted here - is because I didn't get a satisfactory answer in the other place. I've asked elsewhere as well - and will continue to do so until I understand.

As for not changing my handle - people called David are often called Dave - hence --> drivle may be driv.... - it doesn't take a rocket scientist to work out who I am.

Now shall we put this behind us.....?

[flw]

Wow, your really excitable. I was trying to make some light hearted chat. Hence the emoticons. Sorry if you took it the wrong way because that's not how I meant it.

Now if you read the second paragraph, you'll see I started to answer your question based on the information you gave with a request for more info on your log for a pattern search.

[driv]

Hmm...
Even with emoticons, the nature of the written word can be misconstrued.

Wow, your really excitable

Got that right flw, - learn your lesson from an idiot with years of 'substance abuse' behind him!

Either way, virtual handshake offered...

Yes it's happened frequently ***.my.ip.*** connect /put - "another site"
I just can't understand the calling process - and I have been asking everywhere.

[flw]

By "calling process" do you mean "get" or the whole process of get/head/post/put/delete/trace/connect?

[jasonlambert]

Take it easy. :smoke:

Just out of interest, do you have any sort of banners displayed on your website?

It may be banners, but proberly not.

Hmm...

I know the outwar one is basically a site that generates a lot spam, need to do some research.

[driv]

No - no banners.

Sorry - I'm using my own terminology.
By 'calling' process - I'm referring to the call following the ip - which isn't shown in the logfiles - (as I suppose it's redundant - and just eats up the logs)

I'm away from my Linux box now - so I can't respond properly but something like..

***.***.***.***|?|CONNECT security.rr.com:25 HTTP/1.0" 405 297 "-" "-"

as I say I'm not at my server now so I can't remember the character "|?|"
but if you check your apache logs - you'll see what I mean.

I'll try to respond properly tomorrow when I have all the facts to hand.
Thanks,
driv.

[flw]

You may have already looked here but it's the only semi-detailed log descriptions I found.

http://httpd.apache.org/docs/logs.html#accesslog

Covers access, error, rotation, piped and misc log files.

[jasonlambert]

I think the 2 log entries seem to be unrelated, but dont quote me on it

The first one, from security.rr.com, seems to be Road Runner checking for an open proxy. Their probing info is here:
http://security.rr.com/probing.htm

Another Internet User had the same problem, they sent an email to RR, and the response they received can be seen here: http://www.mdlug.org/archives/mdlug/msg07907.html


With the outwars entry, all i could find was one other internet user who had seen a similer thing is his apache logs see here: http://www.securityfocus.com/archive/75/313267 You could try emailing him, to see if he resolved his issue, SecurityFOCUS did not seem to have any responses to his post.

Jason