[users@httpd] Strange access log entries

[Julian Grunnell <jg...@firstnet.net.uk>]

Hi - could someone pls help me with some log entries I'm getting, I
think I know why they are occuring - would just like this confirming.

Platform:
Sun Solaris running Apache 1.3.26.
Hundreds of sites hosted using mod_rewrite.

** Snip from access log file **
203.14.169.18 203.14.169.18 - - [23/Apr/2003:11:44:56 +0100] "GET
/cgi-bin/FormMail.pl?email=rockstar@mail.com&realname=rockstar@mail.com&
recipient=scman128@hotmail.com&subject=www.bbn.co.uk/cgi-bin/FormMail.pl
HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
203.14.169.18 203.14.169.18 - - [23/Apr/2003:11:44:56 +0100] "GET
/cgi-bin/formmail.pl?email=rockstar@mail.com&realname=rockstar@mail.com&
recipient=scman128@hotmail.com&subject=www.bbn.co.uk/cgi-bin/formmail.pl
HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"

Log format:
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-agent}i\""

UseCanonicalName OFF

-----------------------------------

It's the 1st field in the access log file that I am interested in, it is
the same as the 2nd field - the requestor IP address?? The user appears
to be trying to abuse formmail scripts. What I don't understand is why
isn't the 1st field - "the ServerName from UseCanonicalName" being
logged? What I usally see if the domain name that is being requested
logged here.

The logging is fine 99% of the time, but have just noticed this. As the
user is trying to abuse some formmail script is he also trying to send
false information which is getting logged.

Thanks in advance - Julian.

Julian Grunnell
3rd Line Technical Support
E: jgrunnell@firstnet.net.uk
T: 0870 1278008 F: 0870 1278009
DDI: 0113 292 7739
http://www.firstnet.net.uk <http://www.firstnet.net.uk/> 

Firstnet Services Ltd
Registered Office: Peregrine House, Gelderd Close, Leeds, LS12 6DS 
Registered in England no. 3152569

This email is subject to: http://www.firstnet.net.uk/disclaimer.html

Re: [users@httpd] Strange access log entries

[Joshua Slive <jo...@slive.ca>]

[I don't think it is a good idea to cross-post to the yahoo group.  Since
the subscribers differ, that will make it difficult for people to
respond.]

On Wed, 23 Apr 2003, Julian Grunnell wrote:

> 203.14.169.18 203.14.169.18 - - [23/Apr/2003:11:44:56 +0100] "GET
> /cgi-bin/FormMail.pl?email=rockstar@mail.com&realname=rockstar@mail.com&
> recipient=scman128@hotmail.com&subject=www.bbn.co.uk/cgi-bin/FormMail.pl
> HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1)"

> LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-agent}i\""
>
> UseCanonicalName OFF
>
> -----------------------------------
>
> It's the 1st field in the access log file that I am interested in, it is
> the same as the 2nd field - the requestor IP address?? The user appears
> to be trying to abuse formmail scripts. What I don't understand is why
> isn't the 1st field - "the ServerName from UseCanonicalName" being
> logged? What I usally see if the domain name that is being requested
> logged here.

Since you have "UseCanonicalName Off", apache considers the servername to
be whatever name the client supplied in the Host: HTTP request header.
Obviously, this client is supplying its own IP address in this header,
probably for some nefarious reason or other.

If you want to be able to trust that first field, you should use %v rather
than %V.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org