Security Incidents mailing list archives
is this a recon, or just some browser weirdness?
From: Kirby Angell <kangell () alertra com>
Date: Wed, 17 Nov 2004 20:30:30 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My web logfile has these strange entries coming from the same IP address, all relatively close together, but not so close that it looks automated: GET /spotcheckframe.php?device_id=557202&cnt=8 HEAD /spotcheck.php GET /spotcheck.php_files/header_top.jpeg GET / POST /login.php GET /index.html GET /reportspec.php GET /reportspec.php_files/header_top.jpeg GET /viewdevices.php GET /viewdevices.php_files/header_top.jpeg This is the browser ID: "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7) Gecko/20040803 Firefox/0.9.3" Things I don't get: 1) Why the "HEAD" request for the page you just got the full version of (a page that they requested several times before)? 2) Why request "/" and then "/index.html"? They would have had to manually type "/index.html", there isn't a link to it on our site I don't think. 3) What is with the mangled file names right after the correct name is requested (e.g. "reportspec.php" followed by "reportspec.php_files/header_top.jpeg")? 4) Where did "header_top.jpeg" come from anyway, the file on our server is ".jpg", not ".jpeg"? 5) What is the "ru-RU" add-in for FireFox? If anyone can shed some light on this I would appreciate it. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBnAlG21unUZAE9MARAtEuAJ9YbtjrZzBshKUPHm7MUKoDn5a50ACfV2A3 Lpuvd/tC+EGgyRDclJ6OIus= =f/tA -----END PGP SIGNATURE-----
Current thread:
- is this a recon, or just some browser weirdness? Kirby Angell (Nov 18)
- Re: is this a recon, or just some browser weirdness? Martin Mačok (Nov 19)
- <Possible follow-ups>
- RE: is this a recon, or just some browser weirdness? Steven Trewick (Nov 18)
- RE: is this a recon, or just some browser weirdness? Robert Moss (Nov 18)