: Why are nonexistant files listed in the TRANSFER log? This snippit from my apache log reflects some piece of malware casually browsing through my site for some unknown purpose. The most puzzling
This snippit from my apache log reflects some piece of malware casually browsing through my site for some unknown purpose.
The most puzzling thing to me is that the GET address doesn't correspond to anything that exists, so how is this in the transfer log and not the error log?
Aside from that, what agent is doing this, and why?
60.169.78.42 - - [29/Sep/2011:18:49:53 -0500] "GET /wp-admin/post-new.php HTTP/1.0" 404 301 "http://www.boardspace.net/cgi-bin/login.cgi$kx_http_post$cookie=on&language=&password=super123&pname=biffarcarm" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:53 -0500] "GET /member/manage_blog.php?tab=add HTTP/1.0" 404 302 "http://www.boardspace.net/wp-admin/post-new.php" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:54 -0500] "GET /profile_blog_new.php HTTP/1.0" 404 300 "http://www.boardspace.net/member/manage_blog.php?tab=add" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:55 -0500] "GET /account/submit/add-blog/ HTTP/1.0" 404 304 "http://www.boardspace.net/profile_blog_new.php" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:55 -0500] "GET /blogs.php?action=new_post HTTP/1.0" 404 289 "http://www.boardspace.net/account/submit/add-blog/" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:56 -0500] "GET /blogs/my_page/add/ HTTP/1.0" 404 298 "http://www.boardspace.net/blogs.php?action=new_post" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:56 -0500] "GET /blogs.php?action=write HTTP/1.0" 404 289 "http://www.boardspace.net/blogs/my_page/add/" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:57 -0500] "GET /my_blogs&action=add HTTP/1.0" 404 303 "http://www.boardspace.net/blogs.php?action=write" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
66.251.84.28 - - [29/Sep/2011:18:49:56 -0500] "GET /cgi-bin/login.cgi?pname=DrRaven&language=english HTTP/1.1" 200 21878 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; CMNTDF; InfoPath.2)"
60.169.78.42 - - [29/Sep/2011:18:49:57 -0500] "GET /index.php?do=/blog/add/ HTTP/1.0" 404 289 "http://www.boardspace.net/my_blogs&action=add" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:58 -0500] "GET /blog_edit.php HTTP/1.0" 404 293 "http://www.boardspace.net/index.php?do=/blog/add/" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
60.169.78.42 - - [29/Sep/2011:18:49:58 -0500] "GET /manager/add_entry.php HTTP/1.0" 404 301 "http://www.boardspace.net/blog_edit.php" "Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
More posts by @BetL925
1 Comments
Sorted by latest first Latest Oldest Best
The transfer log is a log of requests, and even though there were no files (which is why there's a 404) they still get logged.
It looks like a bot trying to find a vulnerability in your site using known loopholes.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.