Author Topic: Page hit statistics  (Read 6350 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Page hit statistics
« on: October 22, 2004, 12:01:12 pm »
Note that this is for every file/image/etc. that has been downloaded from my site (javaop.clan-e1.net) with a GET request on browsers that actually send a proper user-agent:

Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep GET | wc -l
47220
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Windows | wc -l
21892
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Linux | wc -l
2366
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Mac | wc -l
840

This is the number of times that somebody tried to exploit a WebDAV vulnerability (more on this at the bottom):
Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep SEARCH | wc -l
233

This is the number of hits from googlebot:
Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i googlebot | wc -l
45

This is the number of hits from msnbot:
Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i msnbot | wc -l
657

And finally, this was some very stupid person trying to get Yahoo's site from my server with a very invalid request (you would never put http:// in a GET..):
Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep -i yahoo         
220.170.88.36 - - [25/Aug/2004:19:50:04 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3429 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [02/Sep/2004:18:29:56 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 5146 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [01/Oct/2004:15:27:52 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 7580 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
220.170.88.36 - - [09/Oct/2004:08:45:43 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 7580 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"



The entire inspiration for doing this is that SEARCH requests, though, which were the WebDAV exploit.  For anybody who cares, this is the full request (very long):
http://javaop.clan-e1.net/tmp/shellcode

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Page hit statistics
« Reply #1 on: October 22, 2004, 02:42:59 pm »
Lmao at that shell coding newbie. :O
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline c0Ld

  • x86
  • Full Member
  • ***
  • Posts: 146
    • View Profile
Re: Page hit statistics
« Reply #2 on: October 22, 2004, 04:01:17 pm »
Quote
that actually send a proper user-agent
Quote
Lmao at that shell coding newbie. :O

Eh stop crying :P

Notice how the idiot trying to get yahoo is useing IE on windows 98...lmao, some connection there ;)

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Page hit statistics
« Reply #3 on: October 22, 2004, 06:29:19 pm »
The thing is, you should never be sending a GET for "http://...", the GET is only the page, not the full site.  So that would be like, http://javaop.clan-e1.net/http://www.yahoo.com or something stupid.

<edit> that gives me:
192.168.1.1 - - [22/Oct/2004:17:35:46 -0500] "GET /http://www.yahoo.com HTTP/1.1" 404 302 "http://ix86.cold-chaos.net/forum/index.php?topic=59.0" "Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10"

Which is close..

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Page hit statistics
« Reply #4 on: October 22, 2004, 06:41:13 pm »
Lmao at that shell coding newbie. :O

I'm pretty sure it was a worm, actually, there were too many of the same request sent by different hosts.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Page hit statistics
« Reply #5 on: October 22, 2004, 06:59:01 pm »
Here's something else:

Code: [Select]
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep MSIE | wc -l
11785
iago@darkside:/usr/local/apache2/logs$ cat access_log | grep Firefox | wc -l
11930

Makes me happy :D