Results 1 to 7 of 7
  1. #1
    Join Date
    May 2003
    Location
    Bayreuth, Bavaria, Germany
    Posts
    175

    75% of Hits with Windows 98?!

    Hi,

    on the virtual host that acts as default vhost (no real content there) are 75% in this style:
    <random (?) ip> [timestamp] GET / HTTP/1.1 200 326 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

    Has anyone an idea what this could mean?
    I don't think, there are that many Windows 98 clients out there!
    Some of the ips might also be spoofed (whois <ip> doesn't return a result).
    This has started somewhere in february! before that it was quite calm (some bogus requests from Code Red, etc.)

    I have absolutely no clue what this could mean!
    especially those requests of ips that "don't exist" in RIPE DB are quite useless, since the client wouldn't get the result of the request ...


    Michael

  2. #2
    Join Date
    Mar 2004
    Location
    Birmingham, UK
    Posts
    168
    it also could be in ARIN or APNIC database.

  3. #3
    Join Date
    May 2003
    Location
    Bayreuth, Bavaria, Germany
    Posts
    175
    well, as far as i know, the "whois" tool under linux (debian woody) also returns results of them.
    that's also just a less important question

    interesting might be, on an other server, where a production website is the default vhost, those "Win98"-requests are also there, and they don't fetch images of that website (simply "GET /" and nothing else)!

    so i don't think that this really are real requests. If I had to guess, i would say that this are scanners in some way (it could also be robots/crawlers, but there are many dialup hosts with those requests) ... or even worms or zombies ...


    Michael

  4. #4
    Join Date
    Mar 2003
    Posts
    345
    How can you log that ? I dont see it in my apache log

  5. #5
    Join Date
    May 2003
    Location
    Bayreuth, Bavaria, Germany
    Posts
    175
    Originally posted by kapot
    How can you log that ? I dont see it in my apache log
    what do you mean? the agent string? then you probably have configured "common" logging format. if you change that to "combined", then you also will see the types of clients accessing your website.
    have a look on http://httpd.apache.org/docs/logs.html


    Michael

  6. #6
    Join Date
    Feb 2003
    Location
    CT
    Posts
    481

  7. #7
    Join Date
    May 2003
    Location
    Bayreuth, Bavaria, Germany
    Posts
    175
    jep, this is it
    thanks for the hint


    Michael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •