[plug] Apache logs

Alex Nordstrom lx at se.linux.org
Wed Mar 1 17:16:49 WST 2006 

Wednesday, 1 March 2006 10:59, Kirk Turner wrote:
> On 3/1/06, Patrick Coleman <blinken at gmail.com> wrote:
> > Has anyone else seen anything similar, or have any idea what the
> > purpose might be (other than a really, really slow DDOS :)?
>
> My guess, although not common these days, is that it is a browser
> with the loading of images turned off.  Under firefox for example you
> can turn off the loading of images in Edit->Preferences->Content

I sincerely doubt that. I run a low-profile server with very few 
legitimate requests but a lot of GET / requests, all of which load only 
the index page (no images, no CSS, no favicon, and, most importantly, 
no other HTML pages, which bipeds would most likely request).

There just are not that many users running MSIE 5.5 on Windows 98 (and I 
wonder how much these probes distort browser use statistics) with 
images disabled that are legitimately interested in only the index page 
of my personal web server. Certainly, I wouldn't expect as many 
Taiwanese people to be so interested.

If one is not convinced of their malicious nature not made unlikely 
enough by the number of such requests, certainly, it becomes ridiculous 
when looking at the ratio of such requests to normal requests.

Recently, I've also seen a couple of requests from clients claiming to 
be Mozilla/5.0 (compatible; Konqueror/3.1; i686 Linux; 20020304), and 
in the past, there have been the odd Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1; Q312464) in there as well, not to mention those giving 
no user agent at all.

Most likely, these are probes for vulnerable web servers, since web 
servers respond to HTTP requests with a string identifying the version 
used (e.g. "Server: Apache/1.3.34 (Debian)"). Most likely, unless you 
(claim that you) use IIS, you won't see what requests follow these 
probes.

I've tried looking for specifics on what malware this might be, but 
there's really not much to put in as a search string, especially with 
the number of people who think it's a good idea to publish their web 
and proxy server logs.

-- 
Alex Nordstrom
http://lx.n3.net/
Please do not CC me in followups; I am subscribed to plug.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060301/5356c9d8/attachment.pgp>

More information about the plug mailing list