How is your research going along? No harm no foul, right? Did you find what you had expected to find or some other anomoly? I'm stuck with these packets trying to reverse engineer the software that rendered them... lol
"[email protected]" <[email protected]> wrote: I had to change fxp0 to xl0, but that tcpdump command is very cool, very instructive and very reassuring. Thank you. -------- At 05:57 PM 3/9/2011, Michael J. Kearney wrote: >I don't know if I got through the last time but you ... could... add to but >not take away from your operational matrices by writing it to a file. Using >tcpdump to anylize the traffic on your webserver, It might clear up some of >the confusion. > >tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 80 > fale > >You can also read some of the output data. > >Eg, here are some of my logs: > >168.216.29.89 - - [09/Mar/2011:08:49:15 -0500] "GET >/index.php?domain=fixitbot&tld=com&lookup=%3E%3E HTTP/1.1" 200 5413 "-" >"Mozilla >/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > >The query is 8,223 bytes and logged as 5,413 bytes ? > >The only logical concusion is that the header data is false. Unfortunately the >RAW data does not reveal anything more than that. Maybe you will have better >luck .. and p.s. I was hanging out with my android earlier, I hope this helps. > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of [email protected] >Sent: Wednesday, March 09, 2011 3:40 PM >To: [email protected] >Subject: Re: Nonsensical Web Log Entries > >At 03:02 PM 3/9/2011, [email protected] wrote: >>At 03:06 PM 3/9/2011, Robert Bonomi wrote: >>>> From [email protected] Wed Mar 9 10:40:23 2011 >>>> Date: Wed, 09 Mar 2011 09:57:03 -0500 >>>> To: [email protected] >>>> From: [email protected] >>>> Subject: Nonsensical Web Log Entries >>>> >>>> >>>> I was looking at my Web log this morning, and a bunch of nonsensical >>>> entries like these caught my attention: >>>> >>>> 124.226.181.80 - - [09/Mar/2011:09:49:58 -0500] "GET http://www.yahoo.com/ >>>> HTTP/1.0" 301 294 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT >>>> 5.1; SV1)" >>>> 123.10.97.102 - - [09/Mar/2011:09:50:01 -0500] "GET >>>> http://makeabank.com/faq.cgi HTTP/1.0" 404 3485 "-" "Mozilla/4.0 >>>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>>> 115.225.166.2 - > - [09/Mar/2011:09:50:04 -0500] "GET >>>> http://join1.winhundred.com/affiliate/link.php?ref=35840&productid=7178 >>>> HTTP/1.0" 404 3485 "http://www.wingclips.com/"; "Mozilla/4.0 (compatible; > >>>> MSIE 6.0; Windows NT 5.1; SV1)" >>>> 114.97.197.184 - - [09/Mar/2011:09:50:15 -0500] "GET >>>> http://www.tosunmail.com/proxyheader.php HTTP/1.0" 301 313 >>>> "http://www.cashsoldier.com/VerifyerLevel.php"; "Mozilla/4.0 (compatible; >>>> MSIE 6.0; Windows NT 5.1; SV1)" >>>> >>>> Is my FreeBSD box serving as some kind of Web proxy? >>> >>>Your box is _not_ doing the proxying. that's why it's signalling errors >>>for those requests. >>> >>>The perpetrators are _hoping_ you are running a misconfigured proxying front- >>>end. >> >>Does this entry change your conclusion: >> >> 188.134.62.20 - - [09/Mar/2011:12:15:04 -0500] "GET >> http://images.google.com/ HTTP/1.1" 200 13134 "-" "-" >> > >Here's another entry that's too bizarre for words: > > 218.172.209.123 - - [09/Mar/2011:15:38:29 -0500] "\x16\x03\x01" 200 13107 > "-" "-" > > > >------------------------------------------------- >This message sent via VFEmail.net >http://www.vfemail.net >$14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! > >_______________________________________________ >[email protected] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[email protected]" >_______________________________________________ >[email protected] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[email protected]" ------------------------------------------------- This message sent via VFEmail.net http://www.vfemail.net $14.95 Lifetime accounts! 15GB disk! No bandwidth quotas! _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
