On Tue, 26 Aug 2003, Pall Thayer wrote: > For the past week and a half or so, I've been noticing several strange > entries in my webserver access log. Although they appear harmless, the > volume of the requests worries me a bit. Here's what they look like: > > 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-" > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > > 65.42.85.131 - - [26/Aug/2003:09:10:10 +0000] "GET / HTTP/1.1" 200 686 "-" > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > > 66.190.217.13 - - [26/Aug/2003:09:26:45 +0000] "GET / HTTP/1.1" 200 686 "-" > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > > What makes them strange is that when my server recieves a request for the > root file, it should result in five seperate requests. A legitimate request > looks like this: Do you have a sniffer you can use to show the complete request? That will give more info than what's in the logs. For example, the traffic I'm tracking looks like this with tcpdump -s 1024 -X for IP 220.240.68.58: --- 12:51:13.899773 220.240.68.58.64871 > 129.255.233.104.80: S [tcp sum ok] 1422823769:1422823769(0) win 64240 <mss 960,nop,nop,sackOK> (DF) (ttl 110, id 4256, len 48) 0x0000 4500 0030 10a0 4000 6e06 6f95 dcf0 443a E..0..@.n.o...D: 0x0010 81ff e968 fd67 0050 54ce 9159 0000 0000 ...h.g.PT..Y.... 0x0020 7002 faf0 19b0 0000 0204 03c0 0101 0402 p............... 12:51:13.899801 129.255.233.104.80 > 220.240.68.58.64871: S [tcp sum ok] 3617005260:3617005260(0) ack 142282 3770 win 9600 <mss 960> (DF) (ttl 255, id 60327, len 44) 0x0000 4500 002c eba7 4000 ff06 0391 81ff e968 E..,..@........h 0x0010 dcf0 443a 0050 fd67 d797 1ecc 54ce 915a ..D:.P.g....T..Z 0x0020 6012 2580 0db3 0000 0204 03c0 `.%......... 12:51:14.210024 220.240.68.58.64871 > 129.255.233.104.80: . [tcp sum ok] 1:1(0) ack 1 win 64320 (DF) (ttl 11 0, id 4258, len 40) 0x0000 4500 0028 10a2 4000 6e06 6f9b dcf0 443a E..(..@.n.o...D: 0x0010 81ff e968 fd67 0050 54ce 915a d797 1ecd ...h.g.PT..Z.... 0x0020 5010 fb40 4dbb 0000 0000 0000 0000 P..@M......... 12:51:14.229005 220.240.68.58.64871 > 129.255.233.104.80: P [tcp sum ok] 1:58(57) ack 1 win 64320 (DF) (ttl 110, id 4259, len 97) 0x0000 4500 0061 10a3 4000 6e06 6f61 dcf0 443a E..a..@.n.oa..D: 0x0010 81ff e968 fd67 0050 54ce 915a d797 1ecd ...h.g.PT..Z.... 0x0020 5018 fb40 f591 0000 4745 5420 2f20 4854 P..@....GET./.HT 0x0030 5450 2f31 2e31 0d0a 486f 7374 3a20 7668 TP/1.1..Host:.vh 0x0040 2e6f 7267 0d0a 4361 6368 652d 436f 6e74 .org..Cache-Cont 0x0050 726f 6c3a 206e 6f2d 6361 6368 650d 0a0d rol:.no-cache... 0x0060 0a . 12:51:14.229031 129.255.233.104.80 > 220.240.68.58.64871: . [tcp sum ok] 1:1(0) ack 58 win 9600 (DF) (ttl 25 5, id 60328, len 40) 0x0000 4500 0028 eba8 4000 ff06 0394 81ff e968 E..(..@........h 0x0010 dcf0 443a 0050 fd67 d797 1ecd 54ce 9193 ..D:.P.g....T... 0x0020 5010 2580 2343 0000 P.%.#C.. 12:51:14.234213 129.255.233.104.80 > 220.240.68.58.64871: P [tcp sum ok] 1:425(424) ack 58 win 9600 (DF) (tt l 255, id 60329, len 464) 0x0000 4500 01d0 eba9 4000 ff06 01eb 81ff e968 E.....@........h 0x0010 dcf0 443a 0050 fd67 d797 1ecd 54ce 9193 ..D:.P.g....T... 0x0020 5018 2580 0656 0000 4854 5450 2f31 2e31 P.%..V..HTTP/1.1 0x0030 2033 3031 204d 6f76 6564 2050 6572 6d61 .301.Moved.Perma 0x0040 6e65 6e74 6c79 0d0a 4461 7465 3a20 5765 nently..Date:.We 0x0050 642c 2033 3020 4a75 6c20 3230 3033 2031 d,.30.Jul.2003.1 0x0060 373a 3531 3a31 3420 474d 540d 0a53 6572 7:51:14.GMT..Ser 0x0070 7665 723a 2041 7061 6368 650d 0a4c 6f63 ver:.Apache..Loc 0x0080 6174 696f 6e3a 2068 7474 703a 2f2f 7777 ation:.http://ww 0x0090 772e 7668 2e6f 7267 2f0d 0a54 7261 6e73 w.vh.org/..Trans 0x00a0 6665 722d 456e 636f 6469 6e67 3a20 6368 fer-Encoding:.ch 0x00b0 756e 6b65 640d 0a43 6f6e 7465 6e74 2d54 unked..Content-T 0x00c0 7970 653a 2074 6578 742f 6874 6d6c 3b20 ype:.text/html;. 0x00d0 6368 6172 7365 743d 6973 6f2d 3838 3539 charset=iso-8859 0x00e0 2d31 0d0a 0d0a 6465 200d 0a3c 2144 4f43 -1....de...<!DOC 0x00f0 5459 5045 2048 544d 4c20 5055 424c 4943 TYPE.HTML.PUBLIC 0x0100 2022 2d2f 2f49 4554 462f 2f44 5444 2048 ."-//IETF//DTD.H 0x0110 544d 4c20 322e 302f 2f45 4e22 3e0a 3c48 TML.2.0//EN">.<H 0x0120 544d 4c3e 3c48 4541 443e 0a3c 5449 544c TML><HEAD>.<TITL 0x0130 453e 3330 3120 4d6f 7665 6420 5065 726d E>301.Moved.Perm 0x0140 616e 656e 746c 793c 2f54 4954 4c45 3e0a anently</TITLE>. 0x0150 3c2f 4845 4144 3e3c 424f 4459 3e0a 3c48 </HEAD><BODY>.<H 0x0160 313e 4d6f 7665 6420 5065 726d 616e 656e 1>Moved.Permanen 0x0170 746c 793c 2f48 313e 0a54 6865 2064 6f63 tly</H1>.The.doc 0x0180 756d 656e 7420 6861 7320 6d6f 7665 6420 ument.has.moved. 0x0190 3c41 2048 5245 463d 2268 7474 703a 2f2f <A.HREF="http:// 0x01a0 7777 772e 7668 2e6f 7267 2f22 3e68 6572 www.vh.org/">her 0x01b0 653c 2f41 3e2e 3c50 3e0a 3c2f 424f 4459 e</A>.<P>.</BODY 0x01c0 3e3c 2f48 544d 4c3e 0a0d 0a30 0d0a 0d0a ></HTML>...0.... 12:51:14.244145 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 1422823827:1422823827(0) win 0 (DF) (ttl 110, id 4261, len 40) 0x0000 4500 0028 10a5 4000 6e06 6f98 dcf0 443a E..(..@.n.o...D: 0x0010 81ff e968 fd67 0050 54ce 9193 d797 1ecd ...h.g.PT....... 0x0020 5004 0000 48cf 0000 0000 0000 0000 P...H......... 12:51:14.533515 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 1422823827:1422823827(0) win 0 (ttl 110, id 4262, len 40) 0x0000 4500 0028 10a6 0000 6e06 af97 dcf0 443a E..(....n.....D: 0x0010 81ff e968 fd67 0050 54ce 9193 54ce 9193 ...h.g.PT...T... 0x0020 5004 0000 58d2 0000 0000 0000 0000 P...X......... 12:51:14.563018 220.240.68.58.64871 > 129.255.233.104.80: R [tcp sum ok] 1422823827:1422823827(0) win 0 (ttl 110, id 4263, len 40) 0x0000 4500 0028 10a7 0000 6e06 af96 dcf0 443a E..(....n.....D: 0x0010 81ff e968 fd67 0050 54ce 9193 54ce 9193 ...h.g.PT...T... 0x0020 5004 0000 58d2 0000 0000 0000 0000 P...X......... --- You may be seeing the same sort of thing with the agent string hard coded. Bill Carlson -- Systems Administrator wcarlsonat_private | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 23:41:57 PDT