Who's making bogus web requests?
Yesterday I noticed in my Apache access log a lot of 404s that looked like this:
aaa.xx.65.186 - - [25/Jul/2007:05:55:05 -0500] "GET http://www.some-advertising-site.com/banner/digits HTTP/1.1" 404 305 "http://some-different-website.com/" "legitimate-looking agent"
Not only am I not hosting banner ads, the GET request is invalid. It should be GET /banner/digits..., without the scheme and hostname part of it. I wondered how many I had of these, and how many hits I was getting. A Perl one-liner to the rescue!
perl -MData::Dumper -nae'++$n{$F[0]} if /GET http/; \
END{print Dumper\%n}' access.log
$VAR1 = {
'aaa.xx.65.186' => 132, # Real IPs obscured
'bb.yyy.7.60' => 48,
'ccc.zzz.46.147' => 111,
'dd.qq.71.82' => 33
};
So it looked like I was getting hit by a couple of 0wnz0red boxes with some sort of virus on them. I added them to my iptables DROP list and was done with it.
Categories:
0 TrackBacks
Listed below are links to blogs that reference this entry: Who's making bogus web requests?.
TrackBack URL for this entry: http://perlbuzz.com/cgi-bin/mt/mt-tb.cgi/228
If you think that's invalid, it might be time to reread that RFC (2616). Absolute URIs are allowed, even though typically they're only generated for proxy requests.
And that's probably what happened here: something tried to use your server as an HTTP proxy. You may want to make sure that it doesn't actually work like one :)