| Author |
Is this an attack?
|
|
| Jeffrey Keil 2004-04-26, 4:33 pm |
| Greetings:
I've noticed something very weird in the Apache access_log. I'm not
sure what these entries mean. Could someone help me out? We're running
Apache on a Mac OS X Server.
The entries occurred on April 20 and 24. I'm not sure why the server
would return an HTTP return code of 200 on these requests.
61.182.133.232 - - [20/Apr/2004:08:56:09 -0600] "GET
http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 1456\
61.182.133.232 - - [20/Apr/2004:08:56:11 -0600] "GET
http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 1758\
61.182.133.232 - - [20/Apr/2004:08:56:12 -0600] "GET
http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 4668\
61.182.133.232 - - [20/Apr/2004:08:56:12 -0600] "GET
http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 662\
220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
http://www.yahoo.com/ HTTP/1.1" 200 662\
220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
http://www.yahoo.com/ HTTP/1.1" 200 1758\
220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
http://www.yahoo.com/ HTTP/1.1" 200 4668\
220.113.34.72 - - [24/Apr/2004:17:00:13 -0600] "GET
http://www.yahoo.com/ HTTP/1.1" 200 1456\
Thanks,
Jeff
| |
|
| "Jeffrey Keil" <keilj_33@yahoo.com> schreef in bericht
news:67f6bbe5.0404261235.53a16172@posting.google.com...
> I've noticed something very weird in the Apache access_log. I'm not
> sure what these entries mean. Could someone help me out? We're running
> Apache on a Mac OS X Server.
> The entries occurred on April 20 and 24. I'm not sure why the server
> would return an HTTP return code of 200 on these requests.
It's just responding Ok on a request and served the opening page of your
site|server
> 61.182.133.232 - - [20/Apr/2004:08:56:09 -0600] "GET
> http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 1456\
> 61.182.133.232 - - [20/Apr/2004:08:56:11 -0600] "GET
> http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 1758\
> 61.182.133.232 - - [20/Apr/2004:08:56:12 -0600] "GET
> http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 4668\
> 61.182.133.232 - - [20/Apr/2004:08:56:12 -0600] "GET
> http://bliao.com/?USER=000&PASS=000 HTTP/1.1" 200 662\
> 220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
> http://www.yahoo.com/ HTTP/1.1" 200 662\
> 220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
> http://www.yahoo.com/ HTTP/1.1" 200 1758\
> 220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
> http://www.yahoo.com/ HTTP/1.1" 200 4668\
> 220.113.34.72 - - [24/Apr/2004:17:00:13 -0600] "GET
> http://www.yahoo.com/ HTTP/1.1" 200 1456\
At the client some crooked DNS or host table is misdirecting these two
domains to your IP.
YM2CT
HansH
| |
| Trent Curry 2004-04-27, 12:33 am |
| HansH wrote:
> "Jeffrey Keil" <keilj_33@yahoo.com> schreef in bericht
> news:67f6bbe5.0404261235.53a16172@posting.google.com...
> It's just responding Ok on a request and served the opening page of
> your site|server
>
>
>
> At the client some crooked DNS or host table is misdirecting these two
> domains to your IP.
Or perhaps trying to use his server asa proxy. (Apache can be configured
to act as one and this person or persons could be tesing.)
--
Trent Curry - trentcurryReMoVe@rEmOvEhotmail.com
| |
| Joshua Slive 2004-04-27, 9:33 am |
| keilj_33@yahoo.com (Jeffrey Keil) wrote in message news:<67f6bbe5.0404261235.53a16172@posting.google.com>...
> Greetings:
>
> I've noticed something very weird in the Apache access_log. I'm not
> sure what these entries mean. Could someone help me out? We're running
> Apache on a Mac OS X Server.
>
> The entries occurred on April 20 and 24. I'm not sure why the server
> would return an HTTP return code of 200 on these requests.
>
> 220.113.34.72 - - [24/Apr/2004:17:00:10 -0600] "GET
> http://www.yahoo.com/ HTTP/1.1" 200 662\
See:
http://httpd.apache.org/docs/misc/FAQ.html#proxyscan
Joshua.
|
|
|
|