Ping a Specific Port

Question

paul

Asked: 2010-08-02 23:06:27 +0800 CST2010-08-02 23:06:27 +0800 CST 2010-08-02 23:06:27 +0800 CST

Strange URLs in access log. What could it be?

772

I am currently investigating an instability problem in my customer's web site. While looking through the access log I noticed a sudden burst of activity from one particular IP. It started off requesting normal URLs but at a high rate - 8 hits/sec. For most of the time the same URL (actually a directory) was requested but interspersed with these were URLs which started off as valid but always ended with a random 11-character value like this:

93.133.234.xxx - - [25/Jul/2010:13:49:57 +0200] "GET /com/COM/de/ HTTP/1.1" 302 -
93.133.234.xxx - - [25/Jul/2010:13:49:57 +0200] "GET /com/COM/de/ HTTP/1.1" 302 -
93.133.234.xxx - - [25/Jul/2010:13:49:57 +0200] "GET /com/0g2exjxspky.html HTTP/1.1" 302 -
93.133.234.xxx - - [25/Jul/2010:13:49:57 +0200] "GET /com/COM/de/ HTTP/1.1" 302 -
93.133.234.xxx - - [25/Jul/2010:13:49:57 +0200] "GET /com/COM/de/ HTTP/1.1" 302 -

Has anyone seen this kind of behaviour before? I can't figure out what might lie behind this. I'd be interested to hear anyone's opinion on this.

Paul

4 Answers

Voted

Janne Pikkarainen · Answer 1 · 2010-08-02T23:10:28+08:00

Janne Pikkarainen

2010-08-02T23:10:28+08:002010-08-02T23:10:28+08:00

Not sure, but many spambots etc. are behaving like that, so it might be just another zombie Windows client bombing your server.

1

user48838 · Answer 2 · 2010-08-02T23:59:46+08:00

user48838

2010-08-02T23:59:46+08:002010-08-02T23:59:46+08:00

It is usually not a problem, if your server and any of its possible server-based applications are responding correctly to the bogus calls (ignore or error).

0

John Gardeniers · Answer 3 · 2010-08-03T02:04:05+08:00

John Gardeniers

2010-08-03T02:04:05+08:002010-08-03T02:04:05+08:00

I see that kind of thing pretty much every day, along with numerous requests for pages which don't exist on our sites. As far as I've been able to determine it's bots looking for specific vulnerabilities. I just accept it as part and parcel of being on the Internet and haven't taken the time to determine just what holes they're looking for.

0

TomTom · Answer 4 · 2010-08-03T02:42:57+08:00

TomTom

2010-08-03T02:42:57+08:002010-08-03T02:42:57+08:00

You run into some zobies / bots / whatever trying to explore various problems in various programs used on various systems. Some web servers (older, unpatched) or some software may react by installing softawre etc.

Those worms basically try to exploit a security issue X on random IP addresses.

Some are ancient, but still around - supposedly there are infected Windows 2000 systems still around, unpatched, on the internet.

0

Strange URLs in access log. What could it be?

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?