I have huge 1 GB log file. As I know, it shows errors in my site. But I absolutely don't get it.
I have lots of rows like this:
8x.xxx.45.10x (my ip) - - [04/Feb/2011:09:59:48 -0500] "GET /post?slaps=bbrfd HTTP/1.1" 404 278 "http://mywebsite.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.86 Safari/534.13"
What does it mean?
Thank you very much.
That entry indicates that a request for /post?slaps=bbrfd on your site was not found (404). The request came from your IP, transferred 278 bytes of data (the 404 error page's contents). The link that couldn't be found was clicked on mywebsite.com, and the rest is how the browser identified itself. The two dashes are for "remote username", and "username as logged into the site". The remote username is VERY rarely present, as it requires the remote site running identd and would slow down your site massively.
Looks like an access log file from Apache. Nothing to do with PHP or MySQL. Looks the user got a 404 page when trying to access /post?slaps=bbrfd
This would suggest the URL does not exist.
Related
We are seeing random letters appear in access logs. The requests 404 since the content does not exist. The requests are made by a variety of users and other requests from the same ip usually look genuine. There is no way to request these from the site. Some of these requests even appear from internal traffic on our network.
Example:
157.203.177.191 - - [04/Feb/2018:23:51:20 +0000] "GET /VLTRP/content/dam/example/dotcom/images/ABtest/existing-customer-thumb.jpg HTTP/1.1" 404 60294 39082 "http://www.example.com/shop.html" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 2
Without the /VLTRP this is a genuine request. Has anyone seen something similar before?
For info we are running Apache/2.2.15 (Unix) with ModSec enabled. We do see similar behaviour on another site where we do not have ModSec configured. We see similar requests for internal, external and bot traffic.
I'm monitoring my website with apache log and i saw some stranges requests, see:
51.255.65.74 - - [28/May/2016:11:48:02 -0300] "GET /insert/xahanave.html HTTP/1.1" 404 1035 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"
207.46.13.128 - - [28/May/2016:11:49:13 -0300] "GET / HTTP/1.1" 200 14188 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
66.249.64.87 - - [28/May/2016:11:49:32 -0300] "GET /css/kin8tengoku-1144-may.html HTTP/1.1" 404 1039 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Well, my FTP don't have the folder "/insert/xanahave", neither file 'kin8tengoku' in folder css. Is it possibile make a request to a non existen file/folder ?
Important: Some days ago my site was hacked and a "insert" folder was created without permission in FTP, but now everything was clean and folder "insert" don't exist anymore. My big question is, why requests to this folder continue ?
Because the files were picked up by Ahrefs, Bing search engine and Google search engine when they were up and they periodically recheck files to see if there are any changes. This is how Google and the like return up to date information on your site.
You can see it's these companies from the user agent sent (at the end of each line). Now some, more nefarious bots, sometimes pretend to be GoogleBot but a quick Google of these IP addresses show these to be legitimate ones.
As you can see your server correctly responds with a 404 (page not found status) and, providing there are no links to them, then these companies will eventually take the hint and drop them from their index and stop requesting them. Can take a month or two. They don't do this immediately in case the 404 is an error because you accidentally removed the page or similar.
I moved my ModX website from localhost to a development server.
I updated the paths in my config files it seems to be doing fine, the frontend is working properly.
Only issue, when trying to load the manager at http://dev.noculture.asia/manager/, there is a request to connectors/lang.js.php: http://dev.noculture.asia/connectors/lang.js.php?ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action=
This request returns a 401 Unauthorized error and I have no idea why.
The logs aren't helpful at all:
Modx doesn't log any error, so I am guessing that means the error comes from Apache.
Apache error.log is empty, access.log only tells:
[11/Feb/2014:21:41:10 -0800] "GET /connectors/lang.js.php?ctx=mgr&topic=topmenu,file,resource,welcome,configcheck&action= HTTP/1.1" 401 391 "http://dev.noculture.asia/manager/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.102 Chrome/32.0.1700.102 Safari/537.36"
Any suggestion how to fix this?
I realized that a 401 error is related to authentication.
I deleted the cookie for this domain, which destroyed my session. I was asked to login again, and now the manager is working properly.
This is an addition to: Understanding Apache's access log
I have an Apache log file with the following (this is from an example data set on the Splunk website):
178.19.3.35 - - [19/Oct/2013:15:23:00] "GET /flower_store/product.screen?product_id=FL-DLH-02 HTTP/1.1" 200 10582 "http://mystore.splunk.com/flower_store/category.screen?category_id=CANDY&JSESSIONID=SD3SL8FF9ADFF9" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2258 3329
What is not explained in the above post or in the Apache log help is the 2258 3329 at the very end of this block. What do those numbers mean?
Log file format can be customized in almost any way, so the only way to be sure what those numbers might mean is to check the server configuration.
Open httpd.conf
Find LogFormat
Check Format Strings for the meaning
We have a servlet hosted on jboss which works on HttpServletRequest. But sometimes we receieve requests that do not get decoded by jboss, and when we do getQueryParam on HttpServletRequest, we get null. The jboss access log shows the url in encoded form. Normally, when everything works smooth, url is shown decoded in access log.
e.g.:
This was a problematic request:
127.0.0.1 [13/Apr/2009:14:18:53 +0000] GET /redirectService//%3Fclient_id=3&redirect_url=http%253A%252F%252Fwww.amazon.de%252Fgp%252Fsearch%253Fie%253DUTF8%2526keywords%253DMicrosoft+Office+2007%2526search-alias%253Dsoftware%2526 HTTP/1.1 'null' 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12)'
This was a proper request:
127.0.0.1 [13/Apr/2009:14:19:37 +0000] GET /redirectService//?client_id=3&redirect_url=http%3A%2F%2Fwww.amazon.de%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3DMAGIX+Video+deluxe+2008%26search-alias%3Dsoftware%26 HTTP/1.1 'http://www.google.de/search?hl=de&q=magix+video+deluxe+2008&meta=&aq=3&oq=%22magix%22' 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322)'
Could we be missing some jboss decode settings, or is it just a case of malicious user?
Hard to tell, really.
The client seems to be decoding the question mark into "%3F" but not the ampersand. Suspicious, isn't it?. This looks like a buggy client IMO. Maybe nonportable javascript, maybe some URL-rewriting bug on the web server side, or a more esoteric cause ... a malfunctioning browser plugin.
To rule out nonportable javascript, log the user-agent and compare results. To rule out url-rewriting bug, log referer.
AFAIK, the URL decoder behavior is hardcoded. The string encoding can change if uri's get written in non-ascii or non-iso88591, but that's not what you're after. What encodes question marks but fail to encode ampersands escapes me.
We logged the user-agent, it is some suspicious "XXXagentXXX" in most cases, but a genuine Mozilla (as above) in others. Referrer is "-" for all these requests. However, there is one curious thing I noticed today. We redirect our requests from apache (80) to jboss. Apache access log shows above request as completely encoded:
GET /r/%3Fclient_id%3D3%26redirect_url%3Dhttp%253A%252F%252Fwww.amazon.de%252Fgp%252Fsearch%253Fie%253DUTF8%2526keywords%253DCyberlink%2BPower%2BDirector%2526search-alias%253Dsoftware HTTP/1.0" 400 965 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10)"
while jboss access log has everything except %3F decoded. Now this makes me think apache is screwing up somewhere in the decoding?
I had problem decoding URL too with JBoss 13.
I added the last line in JBoss configuration and it works now.
/subsystem=undertow/servlet-container=default:write-attribute(name=default-encoding,value="ISO-8859-15")
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=url-charset,value="ISO-8859-15")
Doc is here if more needed : https://wildscribe.github.io/WildFly/13.0/subsystem/undertow/server/http-listener/index.html