The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.
COURSE of the MONTH
11 days, 15 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Apache Log files, what is happening here
Posted on 2010-11-10
I'm doing a study of log-files from an Apache server. Here is one of the lines out of the logfiles i have.
87.118.96.104 - - [16/Jul/2008:06:28:08 +0800] "GET http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec HTTP/1.0" 400 226 "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.2"
I would like to know why this request looks like it comes from http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" when that has nothing to do with the site.
I can see the status code returned was 400, so the request was invalid, but i'm curious to know how the p=cheap-zyrtec got there? It is probably possible for someone to type it, but is there another way it can appear automatically?
Also what does the Gecko/20050224 Firefox/1.0.2 mean?
87.118.96.104 - - [16/Jul/2008:06:28:08 +0800] "GET http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec HTTP/1.0" 400 226 "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.2"
I would like to know why this request looks like it comes from http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" when that has nothing to do with the site.
I can see the status code returned was 400, so the request was invalid, but i'm curious to know how the p=cheap-zyrtec got there? It is probably possible for someone to type it, but is there another way it can appear automatically?
Also what does the Gecko/20050224 Firefox/1.0.2 mean?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
-
3
- +1
11 Comments
what does the Gecko/20050224 Firefox/1.0.2 mean?
It means that the request came from someone using Mozilla FireFox browser version 1.0.2
It means that the request came from someone using Mozilla FireFox browser version 1.0.2
Hi,
I'm giving an example below.
Suppose you are getting an information like this : Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Here the details are listed below:
Browser branch name: Firefox 3.6
Browser name: Firefox
Browser version: 3.6
Operation System: Windows NT 6.1 (Windows 7)
Browser full name: Mozilla/Firefox 3.6.12
ProductSub: 20101026
Engine: Gecko RV: 1.9.2.12
U: Security type - strong security
en-US: Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface) :
rv:1.9.2.12: CVS Branch Tag
The version of Gecko being used in the browser
Gecko: Gecko engine inside
Hope this helps.
I'm giving an example below.
Suppose you are getting an information like this : Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Here the details are listed below:
Browser branch name: Firefox 3.6
Browser name: Firefox
Browser version: 3.6
Operation System: Windows NT 6.1 (Windows 7)
Browser full name: Mozilla/Firefox 3.6.12
ProductSub: 20101026
Engine: Gecko RV: 1.9.2.12
U: Security type - strong security
en-US: Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface) :
rv:1.9.2.12: CVS Branch Tag
The version of Gecko being used in the browser
Gecko: Gecko engine inside
Hope this helps.
Thank you testez,
That was helpful.
And what about for the first part of the question?
How could the <b>p=cheap-zyrtec</b> getting into the referrer link? Can anyone help me with that?
That was helpful.
And what about for the first part of the question?
How could the <b>p=cheap-zyrtec</b> getting into the referrer link? Can anyone help me with that?
Active today
The site/page "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" is presented in the HTTP/1.0 request as the Referrer site.
NT 5.0 I think is windows 2000.
i.e. you can connect to any web server make the request and then Add the Referrer: whatever_you_want
and whatever_you_want will appear in the log.
NT 5.0 I think is windows 2000.
i.e. you can connect to any web server make the request and then Add the Referrer: whatever_you_want
and whatever_you_want will appear in the log.
Active today
You need to see who had the IP: 87.118.96.104 on [16/Jul/2008:06:28:08 +0800] and ask them.
Do you have a specific question where one can answer based on know how/knowledge versus trying to read mines/ determine motives?
Do you have a specific question where one can answer based on know how/knowledge versus trying to read mines/ determine motives?
@ arnold I don't know the person on 87.118.96.104
I just wanted to know if anyone had seen something like this before. Maybe from referrer spam or some other common issue / exploit like that. Was just curious why someone would type something so random on a site that had nothing to do with what they were looking for.
But thank you very much for your answer!
I just wanted to know if anyone had seen something like this before. Maybe from referrer spam or some other common issue / exploit like that. Was just curious why someone would type something so random on a site that had nothing to do with what they were looking for.
But thank you very much for your answer!
Active today
You seem to have answered your own question this could have a been a malicious attack DDoS attack or .... There really is no way to explain the motives behind this. The possibility that the owners of the site http://scissec.scis.ecu.edu.au/ have/use internal IPs that are public versus private.
The visitor to the site was not local/internal and the request leaked out.
i.e. site A has the public IPs a.b.c.d Site B does not use the private IP blocks when setting up their LAN but is using the a.b.c.0/24 as one of their internal LANs.
User a connects via VPN to Site B and the a.b.c.0/24 block is for one reason or another is not part of their VPN client setting. the user access the url http://scissec.scis.ecu.edu.au/ the IP of which is returned as a.b.c.d and instead of that request going through the VPN it is sent out and hits your server.
The visitor to the site was not local/internal and the request leaked out.
i.e. site A has the public IPs a.b.c.d Site B does not use the private IP blocks when setting up their LAN but is using the a.b.c.0/24 as one of their internal LANs.
User a connects via VPN to Site B and the a.b.c.0/24 block is for one reason or another is not part of their VPN client setting. the user access the url http://scissec.scis.ecu.edu.au/ the IP of which is returned as a.b.c.d and instead of that request going through the VPN it is sent out and hits your server.
Thank you!
I think it was a DDoS becuase there was tons of activity at this time and the server went down shortly after. Also it was being hit by the same ip hundreds of time per minute, using different keywords, different, browsers, OS and languages.
Thanks again for your help, It took a little bit of discussion to get the answer :)
I think it was a DDoS becuase there was tons of activity at this time and the server went down shortly after. Also it was being hit by the same ip hundreds of time per minute, using different keywords, different, browsers, OS and languages.
Thanks again for your help, It took a little bit of discussion to get the answer :)
Featured Post
Will your organization be ransomware's next victim? The good news is that these attacks are predicable and therefore preventable. Learn more about how you can stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
- Web Development
- Ransomware
- Cybersecurity
- Security
- Monitis
- Web Servers
In this article, we’ll look at how to deploy ProxySQL.
- Databases
- Network Analysis
- Network Operations
- Network Security
- MySQL Server
- Network Architecture, Percona, *proxy servers, *Data Migration
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you!
In this Micro Tutorial, you'll learn yo…
- Microsoft Applications
- Windows 10
- Windows OS
- Fonts Typography
- Windows 7, Microsoft Word
Suggested Courses
Course of the Month11 days, 15 hours left to enroll
752 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.