Re: how to explain these logs?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/05/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Tue, 5 Feb 2002 18:24:22 +0000 (UTC)

< chris
8<
>I'm running RH72 with firewall.
>
>Also, in some place of the log file, I see these 2 lines where the
>URLs after "GET" are nothing to do with my URL/web server. How could
>this happen? Is it some one isusing my machine to access other web
>site?
>
>Can some one explain this a little bit to me, or point me to a place
>for more details? Thanks a lot!
>
>210.21.30.169 - - [04/Feb/2002:00:29:37 -0800] "GET
>http://www.sina.com.cn/ HTTP/1.1" 200 692 "-" "Mozilla/4.0
>(compatible; MSIE 4.01; Windows 95)"

Someone who oriented privacy at 210.21.30.169 searched proxy server.
And your server responded code 200. This mean your httpd server allow
proxy request. You served proxy volunteer. This is not so bad. Depend
on your volunteer policy.

>216.35.116.20 - - [04/Feb/2002:04:55:48 -0800] "GET
>/allhotel/Beijing_Hilton.htm HTTP/1.0" 404 294 "-" "Mozilla/5.0
>(Slurp/cat; slurp@inktomi.com; http://www.inktomi.com/slurp.html)"

Someone from 216.35.116.20 wanted to get /allhotel/Beijing_Hilton.htm.
I'm not sure quoted () mean. But I guess URL of search engine or
subliminal advertisement.

>63.121.98.164 - - [03/Feb/2002:05:58:58 -0800] "GET
>/scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-"
8<

Google "nimda". Many admins are satiated about this from last summer.
Malicious prober or attacker who use social engineering make mimic
nimda scan. And perhaps they include other probe or attack subliminally.

>216.35.116.91 - - [03/Feb/2002:11:27:19 -0800] "GET /robots.txt
>HTTP/1.0" 404 277 "-" "Mozilla/3.0 (Slurp/si; slurp@inktomi.com;
>http://www.inktomi.com/slurp.html)"

Someone or search engine from 216.35.116.91 wanted to get robots.txt
file. Sometimes bad guys use this information but usually not so bad.
Google "robots.txt". Google use this information too.

$ nslookup www.inktomi.com
$ nslookup _above_IPs_
$ whois www.inktomi.com
$ whois _above_IPs_ 

-- 
Best Regards,
RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Relevant Pages

  • Re: search engine challenge
    ... > are saved on the server as txt files. ... Before we had the articles put ... > in the db also and then performed SQL queries for the search engine. ... hard work, and then either using the Google site search, or the Google ...
    (comp.lang.php)
  • Re: search engine challenge
    ... I don't think it's possible to have Google index an MySQL db? ... And the html ... >> in the db also and then performed SQL queries for the search engine. ... >> the server cpu goes max. I'm looking for a php type search engine ...
    (comp.lang.php)
  • Re: forbidden google
    ... On Saturday 20 August 2005 09:52, Total Brain Delete wrote: ... > I have been using google ever since it apeared as a search engine. ... > Your client does not have permission to get URL / from this server. ...
    (alt.internet.search-engines)
  • Re: Reinstalling Exchange to a new 2000 installation
    ... CLEAR OUT the database and log file directories. ... file in the directory it did not come along with the restore. ... >restore the databases and start them up on this server. ...
    (microsoft.public.exchange2000.win2000)
  • Re: Excessive amount of log files
    ... Based on that information I would say that your server is doing fine. ... 5mb attachment that will be 40Mb of transaction logs right there. ... an Exchange server will also cause transactions to be recorded. ... What we look for in high log file growth situation is large numbers of log ...
    (microsoft.public.exchange2000.general)