madstylex
asked on
Apache Log files, what is happening here
I'm doing a study of log-files from an Apache server. Here is one of the lines out of the logfiles i have.
87.118.96.104 - - [16/Jul/2008:06:28:08 +0800] "GET http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec HTTP/1.0" 400 226 "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.2"
I would like to know why this request looks like it comes from http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" when that has nothing to do with the site.
I can see the status code returned was 400, so the request was invalid, but i'm curious to know how the p=cheap-zyrtec got there? It is probably possible for someone to type it, but is there another way it can appear automatically?
Also what does the Gecko/20050224 Firefox/1.0.2 mean?
87.118.96.104 - - [16/Jul/2008:06:28:08 +0800] "GET http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec HTTP/1.0" 400 226 "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.2"
I would like to know why this request looks like it comes from http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" when that has nothing to do with the site.
I can see the status code returned was 400, so the request was invalid, but i'm curious to know how the p=cheap-zyrtec got there? It is probably possible for someone to type it, but is there another way it can appear automatically?
Also what does the Gecko/20050224 Firefox/1.0.2 mean?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you testez,
That was helpful.
And what about for the first part of the question?
How could the <b>p=cheap-zyrtec</b> getting into the referrer link? Can anyone help me with that?
That was helpful.
And what about for the first part of the question?
How could the <b>p=cheap-zyrtec</b> getting into the referrer link? Can anyone help me with that?
The site/page "http://scissec.scis.ecu.edu.au/educom/themes/Prairie/images/.tmp/index.php?p=cheap-zyrtec" is presented in the HTTP/1.0 request as the Referrer site.
NT 5.0 I think is windows 2000.
i.e. you can connect to any web server make the request and then Add the Referrer: whatever_you_want
and whatever_you_want will appear in the log.
NT 5.0 I think is windows 2000.
i.e. you can connect to any web server make the request and then Add the Referrer: whatever_you_want
and whatever_you_want will appear in the log.
ASKER
@ arnold
Any idea why someone would do this?
Any idea why someone would do this?
You need to see who had the IP: 87.118.96.104 on [16/Jul/2008:06:28:08 +0800] and ask them.
Do you have a specific question where one can answer based on know how/knowledge versus trying to read mines/ determine motives?
Do you have a specific question where one can answer based on know how/knowledge versus trying to read mines/ determine motives?
ASKER
@ arnold I don't know the person on 87.118.96.104
I just wanted to know if anyone had seen something like this before. Maybe from referrer spam or some other common issue / exploit like that. Was just curious why someone would type something so random on a site that had nothing to do with what they were looking for.
But thank you very much for your answer!
I just wanted to know if anyone had seen something like this before. Maybe from referrer spam or some other common issue / exploit like that. Was just curious why someone would type something so random on a site that had nothing to do with what they were looking for.
But thank you very much for your answer!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you!
I think it was a DDoS becuase there was tons of activity at this time and the server went down shortly after. Also it was being hit by the same ip hundreds of time per minute, using different keywords, different, browsers, OS and languages.
Thanks again for your help, It took a little bit of discussion to get the answer :)
I think it was a DDoS becuase there was tons of activity at this time and the server went down shortly after. Also it was being hit by the same ip hundreds of time per minute, using different keywords, different, browsers, OS and languages.
Thanks again for your help, It took a little bit of discussion to get the answer :)
ASKER
Thorough explanations
It means that the request came from someone using Mozilla FireFox browser version 1.0.2