Sat, 08 Mar 2008
Strange visitors
I've been keeping an eye on my log files (which is easy considering I get about two hits a week) and I've seen some strange things:
-
A.B.C.D - - [08/Mar/2008:09:42:26 +0100] "GET /
HTTP/1.1" 301 313 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows 98)"
Is there really someone out there still using Windows 98? It's probably a spammer harvesting e-mail addresses or something. Similar entries occur a few times, always with the same behaviour. He requests '/', which sends a redirect to '/blog/' but never folows it.
-
A.B.C.D - - [06/Mar/2008:16:45:20 +0100] "GET
http://thecric.free.fr/AZenv/azenv.php HTTP/1.1" 404 293
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
A.B.C.D - - [05/Mar/2008:10:33:52 +0100] "GET
http://www.proxy.us.pl/azenv.php HTTP/1.1" 404 287 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
I don't get these at all. I'd guess it's scanning for PHP software with know security problems but the domains don't make sense. A quick dig tells me they exists, but point to a completely different IPs. The links exists but just returns some information about my HTTP request for it. Is there a DNS server returing wrong IPs or something?
-
A.B.C.D - - [04/Mar/2008:21:30:58 +0100] "GET
/robots.txt HTTP/1.0" 404 287 "-" "Mozilla/5.0 (compatible;
Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
Cool, I got indexed by Yahoo!. I've no idea where they got the URL for my site though. I submitted it to Google for indexing but I haven't seen their bot yet.
-
A.B.C.D - - [06/Mar/2008:23:54:00 +0100] "GET /
HTTP/1.1" 301 314 "-" "Mozilla/5.0 (Really Gmane.org's
favicon grabber)"
Another indexer. This one also didn't follow the 301. I have no idea why Gmane.org wants my favicon, or why they think I'd have one.
The mail server logs only have a few interesting things:
-
Feb 20 13:13:59 mars postfix/smtpd[3673]: connect from
D-C-B-A.dynamic.hinet.net[A.B.C.D]
Feb 20 13:14:00 mars postfix/smtpd[3673]: NOQUEUE: reject: RCPT from
D-C-B-A.dynamic.hinet.net[A.B.C.D]: 554 5.7.1
: Relay access denied; from= to= proto=SMTP helo= I only installed the mailserver on 2008-02-19, and I get the first spammer trying to use it as a relay the next day. The MX records have been published a little longer though. Most of the spam seems to come from residential IPs (cable/dsl lines). I guess blacklisting those can be quite effective if you're running a server with more traffic than mine.
-
Feb 20 19:13:56 mars postfix/smtpd[3730]: connect from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
Feb 20 19:13:56 mars postfix/smtpd[3730]: lost
connection after CONNECT from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
Feb 20 19:13:56 mars postfix/smtpd[3730]: disconnect
from
A-B-C-D-adsl-tpe.dynamic.so-net.net.tw[A-B-C-D]
I see quite a few of these. Someone tries to connect and then closes the connection. Again, quite probably spam zombies but I have no idea what they're trying to do.
If you offer a better explanation for any of these let me know.
posted at: 12:33 | path: / | [ 0 comments ]