FREESCO Support

[Island]

Is there a brief guide to what sort of thing thttpd logs, and what the fields in the logs mean? Actually, I've just realised of course that there will be something on the thhtd website; I ought to look there first.

FREESCO's been logging this type of entry most days, and I wondered what it was telling me:

58.218.199.227 - - "GET /proxyheader.php HTTP/1.1" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


I guess the IP address is the source address of an http:// command.
The GET string is perhaps what the http:// command was.
404 (I hope) is FREESCO's reply, not sure what the 0 might be, nor the 'null' within the "".
The last field is the User Agent, I guess.

In this example, what might the remote user have been trying to achieve with '/proxyheader.php'? Other times, this entry has quite different things, such as /cgi/something etc.

I'm going to check the thttpd documents, anyway, if I find something useful, I'll post back.

regards, Island

[Island]

I'm going to check the thttpd documents, anyway, if I find something useful, I'll post back.

httpd logs are described here:
http://www.acme.com/software/thttpd/tht ... .html#LOGS
referring to a CERN format here:
http://www.w3.org/Daemon/User/Config/Logging.html

This describes everything up to the null "" in my example:

58.218.199.227 - - "GET /proxyheader.php HTTP/1.1" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I've discovered (by testing) that the null "" is the referrer field, and the user agent is the (reported) user agent. If a log is ever thought to be recording a malicious attempt, then you should expect that the referrer and user-agent do not reflect what was actually used.

I'd welcome any suggestion, though, about what could have been the intention behind a GET for a proxyheader.php

regards, Island

[Lightning]

I'd welcome any suggestion, though, about what could have been the intention behind a GET for a proxyheader.php

It is an attack of sorts, what is happening is that the person is trying to identify a very specific type of server or software running on a server. Your server responded 404 (file not found), so they know that your machine is not what they are looking for. If you did happen to have that file then you would have probably seen some other testing for specific files or an attack to a vulnerability of that software.