thttpd log: 404s, and strange-looking requests

Support section for FREESCO v0.4.x

thttpd log: 404s, and strange-looking requests

Postby Island » Thu Sep 01, 2011 10:52 am

Is there a brief guide to what sort of thing thttpd logs, and what the fields in the logs mean? Actually, I've just realised of course that there will be something on the thhtd website; I ought to look there first.

FREESCO's been logging this type of entry most days, and I wondered what it was telling me:

58.218.199.227 - - "GET /proxyheader.php HTTP/1.1" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


I guess the IP address is the source address of an http:// command.
The GET string is perhaps what the http:// command was.
404 (I hope) is FREESCO's reply, not sure what the 0 might be, nor the 'null' within the "".
The last field is the User Agent, I guess.

In this example, what might the remote user have been trying to achieve with '/proxyheader.php'? Other times, this entry has quite different things, such as /cgi/something etc.

I'm going to check the thttpd documents, anyway, if I find something useful, I'll post back.

regards, Island
User avatar
Island
Junior Advanced Member
 
Posts: 108
Joined: Sat Jan 22, 2005 12:48 pm

Re: thttpd log: 404s, and strange-looking requests

Postby Island » Thu Sep 01, 2011 12:46 pm

Island wrote:I'm going to check the thttpd documents, anyway, if I find something useful, I'll post back.


httpd logs are described here:
http://www.acme.com/software/thttpd/tht ... .html#LOGS
referring to a CERN format here:
http://www.w3.org/Daemon/User/Config/Logging.html

This describes everything up to the null "" in my example:
58.218.199.227 - - "GET /proxyheader.php HTTP/1.1" 404 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


I've discovered (by testing) that the null "" is the referrer field, and the user agent is the (reported) user agent. If a log is ever thought to be recording a malicious attempt, then you should expect that the referrer and user-agent do not reflect what was actually used.

I'd welcome any suggestion, though, about what could have been the intention behind a GET for a proxyheader.php

regards, Island
User avatar
Island
Junior Advanced Member
 
Posts: 108
Joined: Sat Jan 22, 2005 12:48 pm

Re: thttpd log: 404s, and strange-looking requests

Postby Lightning » Thu Sep 01, 2011 10:56 pm

I'd welcome any suggestion, though, about what could have been the intention behind a GET for a proxyheader.php
It is an attack of sorts, what is happening is that the person is trying to identify a very specific type of server or software running on a server. Your server responded 404 (file not found), so they know that your machine is not what they are looking for. If you did happen to have that file then you would have probably seen some other testing for specific files or an attack to a vulnerability of that software.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 3049
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 1 guest

cron