Results 1 to 5 of 5
  1. #1

    Unusual access_log entries

    I am seeing more and more of this type of scan in my server access_logs:

    218.5.79.85 - - [06/Sep/2002:15:02:23 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:02:23 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:02:23 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:02:23 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:58 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:04:59 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:00 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:01 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:01 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:02 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:02 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:02 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:02 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:03 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:04 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673
    218.5.79.85 - - [06/Sep/2002:15:05:05 -0400] "GET http://www.pchome.net/ HTTP/1.1" 200 2673

    I do not host pchome.net and the originating IP (if not spoofed) originates in Asia. Any idea how this person is able to retrieve this website through my server?

  2. #2
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186
    It is trivial for anybody to access your server using any hostname they want, all they need to do is make an entry in their local hosts file which will associate (point) the domain name (in this case www.pchome.net) with one of your ip addresses. You don't need to have the server configured for that name in particular, just have it so that it will answer requests on that ip address, and your server will serve up the default site for that ip.

    Another possibility is that they have the DNS for www.pchome.net (if they have authority over that domain) pointing to your ip address, often referred to as third-party dns.

  3. #3
    Originally posted by elsmore1
    It is trivial for anybody to access your server using any hostname they want, all they need to do is make an entry in their local hosts file which will associate (point) the domain name (in this case www.pchome.net) with one of your ip addresses. You don't need to have the server configured for that name in particular, just have it so that it will answer requests on that ip address, and your server will serve up the default site for that ip.

    Another possibility is that they have the DNS for www.pchome.net (if they have authority over that domain) pointing to your ip address, often referred to as third-party dns.
    Thanks for your reply. So if I see the same scan in the access_log for every domain on one server then this person could possibly have associated an entire C block of IP addresses with this one domain name? What would be the purpose of this type of scan (which was much longer than what I posted here)?

  4. #4
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Another thought to this might be that it's an honest mistake (??) Perhaps if this is an individual who owns pchome.net, or the individual who owns pchome.net has mistakenly mistyped a number or something of the like in httpd.conf. It happens.

    Here's what I mean:
    <Virtualhost 1.2.3.4>
    was perhaps misconfigured as
    <Virtualhost 4.3.2.1>
    You get the idea. that would send all http queries for mydomain.com to 4.3.2.1 when it should be sent to 1.2.3.4.

    That seems like it's possibly the problem, though I've not seen logs other than what you've shown.

    Have you done a whois on pchome.net, and tried contacting their administration about this?
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  5. #5
    Originally posted by wolfstream
    Another thought to this might be that it's an honest mistake (??) Perhaps if this is an individual who owns pchome.net, or the individual who owns pchome.net has mistakenly mistyped a number or something of the like in httpd.conf. It happens.

    Here's what I mean:
    <Virtualhost 1.2.3.4>
    was perhaps misconfigured as
    <Virtualhost 4.3.2.1>
    You get the idea. that would send all http queries for mydomain.com to 4.3.2.1 when it should be sent to 1.2.3.4.

    That seems like it's possibly the problem, though I've not seen logs other than what you've shown.

    Have you done a whois on pchome.net, and tried contacting their administration about this?
    pchome.net is the domain in this example, other scans were for

    rambler.ru:
    nasla.yonsei.ac.kr - - [31/Aug/2002:15:10:41 -0400] "GET
    http://www.rambler.ru/ HTTP/1.0" 200 2673

    and yahoo.com:
    61.177.74.130 - - [28/Aug/2002:20:08:57 -0400] "GET http://www.yahoo.com/ HTTP/1.1" 200 4650 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •