What is this web site trying to do?

Tim ignored_mailbox at yahoo.com.au
Mon Jun 4 04:57:18 UTC 2007


Tim:
>> The logwatch is really only a brief summary.  You want to
>> look at the proper webserver logs, in /var/log/httpd
>> (access or error logs).  Use grep to find the diyproxy
>> entry in them.  You'll probably find that someone's
>> trying to see if they can use your webserver as a proxy,
>> for their own nefarious purposes.

linuxmaillists:
> Tim thanks for pointing me to the appropriate log file.

With a name like yours, I've got this mental image of Lister from Red
Dwarf going through my head...  ;-)

> What is the AP that 69.28.79.34 or http://www.diyproxy.com/ 
> was looking for as recorded in my error log
> 
> [Fri Jun 01 19:15:28 2007] [error] [client 69.28.79.34] File 
> does not exist: /var/www/html/ap

Your original post mentioned a request for this address:
<http://www.diyproxy.com/ap/flag.txt> 

Your server is breaking apart the hostname from the path after the
domain name (/ap/flag.txt could be inside /var/www/html/ap/flag.txt if
you actually did serve that domain).


> I know the next entry from Asia 222.216.28.147 or 
> http://www.loanscandyloans.com/ was up to no good
> 
> [Sat Jun 02 22:14:26 2007] [error] [client 222.216.28.147] 
> File does not exist: /var/www/html/php

Which could be an attempt to find a PHP exploit on your system, or on
someone else's system, using you as a patsy.

> This favicon.ico error happens a lot both internally and 
> externally what would be causing this? I have nothing on my 
> pages that would be pointing a browser to a favicon.ico 
> file or image.
> 
> [Sun Jun 03 01:10:45 2007] [error] [client 64.53.219.226] 
> File does not exist: /var/www/html/favicon.ico

Frank has already mentioned how many browsers will try to load
a /favicon.ico for any website that they visit.  They do it themselves.

Additional:  Anybody trying to block websites by putting bogus entries
in their /etc/hosts file for annoying domain names, will turn the
connection attempts onto their own server.  That can be a cause of some
strange things in their webserver logs.  There are better ways to block
such things.

For one of my public facing test servers, I use virtual named based
hosting, with a default that leads to a null site.  Anything that's
nothing to do with the sites it does host, whether accidental or
deliberate, gets logged separately.  It doesn't access anything in the
real websites, nor clutter their logs.  I'd generally notice a few
connection attempts a day, some trying to use me as a proxy, some trying
to exploit a script that might have been on a webserver.

-- 
(This box runs FC6, my others run FC4 & FC5, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.





More information about the fedora-list mailing list