Odd entries in Apache Logs Odd entries in Apache Logs
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Odd entries in Apache Logs

Started by tomrock, July 04, 2005, 05:26:25 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

tomrock

July 04, 2005, 05:26:25 PM Last Edit: July 05, 2005, 08:14:13 AM by GauGau
I don't know if this is a Coppermine issue at all, but I'm getting some odd entries in my Apache logs.

Normally, when someone looks at a picture I see something like GET /displayimage.php?album=2&pos=12

However, there's one user where I see GET /login.php?referer=/login.php?referer=/login.php?referer=/displayimage.php?pos=-549

The login.php?referer will repeat more and more. The most I've seen is 11 repeats.

Is this user doing something wrong? Am I?

My concern is because this generates a huge number of hits to my server and causes a counter I use to reset itself.

Is there something I should do about this?

Thanks,
Tom

OmegaGOD

#1
July 04, 2005, 08:47:31 PM
Is there a referring page to this URL in your Apache log file? Since it's only coming for 'one' user, I am assuming he/she is being a little malicious. If there is no referring page, then you may just want to block his IP address. (Assuming he has a static IP)
Please do not PM me with support questions. Please read the manual and then if posting questions please place them in the proper sub-boards.

tomrock

#2
July 04, 2005, 10:20:07 PM
I had to go to apache.org and read about the log files.

It's always GET /login.php?referer=/login.php?referer=/login.php?referer= and so on up to 11 times followed by an actual image they're looking for (such as displayimage.php?pos=-153), then 200 (which I understand means success), then a number which is larger than other hits, then the exact same thing again (same number of login.php's and the same image reference) followed by their browser.

So, to answer your question, the referer is the same as the page they're looking at.

Thanks for giving me any insight,
Tom

kegobeer

#3
July 04, 2005, 10:30:16 PM
I would block that IP address - that smells like a malicious attack.  You can set up a htaccess file to route requests from that IP address to another URL.

Here's one I've used in the past:

Code Select
Options +FollowSymlinks
RewriteEngine On
RewriteBase /

order allow,deny
deny from 200
deny from 145.24.132.250
deny from 205.218.64.8
deny from 168.234.198.7
allow from all

RewriteCond %{HTTP_USER_AGENT} Simple
RewriteRule .* http://www.urbandictionary.com/define.php?term=script+kiddie [F,L]

RewriteRule /modules(.*) http://www.urbandictionary.com/define.php?term=script+kiddie [R]

ErrorDocument 403 http://www.urbandictionary.com/define.php?term=script+kiddie

A nice reroute to the definition of a script kiddie.  You can set up a static html page on a free server, like geocities or yahoo, with instructions to contact you if they've feel they should have access to your site.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

tomrock

#4
July 04, 2005, 11:51:29 PM
Thank you. I've blocked the ip where they were.
Print
Go Up Pages1
User actions