on the virtual host that acts as default vhost (no real content there) are 75% in this style:
<random (?) ip> [timestamp] GET / HTTP/1.1 200 326 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Has anyone an idea what this could mean?
I don't think, there are that many Windows 98 clients out there!
Some of the ips might also be spoofed (whois <ip> doesn't return a result).
This has started somewhere in february! before that it was quite calm (some bogus requests from Code Red, etc.)
I have absolutely no clue what this could mean!
especially those requests of ips that "don't exist" in RIPE DB are quite useless, since the client wouldn't get the result of the request ...
well, as far as i know, the "whois" tool under linux (debian woody) also returns results of them.
that's also just a less important question
interesting might be, on an other server, where a production website is the default vhost, those "Win98"-requests are also there, and they don't fetch images of that website (simply "GET /" and nothing else)!
so i don't think that this really are real requests. If I had to guess, i would say that this are scanners in some way (it could also be robots/crawlers, but there are many dialup hosts with those requests) ... or even worms or zombies ...
Originally posted by kapot How can you log that ? I dont see it in my apache log
what do you mean? the agent string? then you probably have configured "common" logging format. if you change that to "combined", then you also will see the types of clients accessing your website.
have a look on http://httpd.apache.org/docs/logs.html