Re: apache access.log strange entry
Originally Posted by
SlugSlug
So would they be somehow spoofing referrer's to climb search engine ranks?
That seems likely, at least to me. On my site, and for several months now, I have been having troubles with forged referrer's. 95% of the issue is from Russia, Ukraine, and Romania. Since I don't care about possible collateral dammage (i.e. blocking an innocent party), I am now blocking some large IP address blocks from these areas. After some study of access logs, a tell tale signature became apparent: Always the same page; Always the same number of bytes in the response, and not typical for a real "GET"; Never gets favicon.ico; Never gets related .css file; Never gets embedded .png files. What I don't understand with this one, is why they bother, as I do not publish access data and such. However, I have published segments before, when writing up some investigation or other.
As a slight digression, I have another type of similar access issue, always for the same (but a different one than the above) web page, but the forged referrer is my own site (a page that does not link to the one in question). Other tell tale signature stuff is the same. So, again, why bother? What is the point? For this case, in my tcpdump logs, I did notice they were doing some odd stuff at the packet level with the TCP session, with new SYN packets and RST packets sort of jammed into the normal flow.
Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.
Bookmarks