Allegedly, on or about 05 March 2014, lee sent: > Could someone please explain why/how this may be considered as an > attack or at least as something bad? Have a look at the log line that the original poster sent: 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" look above here, where the carats are at the end of these hyphens ---------------------------------------------------------------------^^^ That "200" means a successful result, rather than a failure. In other words, what they tried to do, they did. You'd want nefarious attempts to fail. If it failed, there'd be a different HTTP response code, there (one of the four-hundreds or five-hundreds, depending on whether it's a client error, or server error). > Someone requesting an URL from a web server that doesn´t serve this > URL --- or doesn´t serve the specified domain at all --- could be > caused by incorrect responses from name servers, couldn´t it? Not, like that. Say, for example, I try to get this page from a website: www.example.com/pages/test.html The browser will connect to example.com (presuming that DNS is working), and then it will try to GET /pages/test.html. The domain name will not be in the GET request. e.g. That log line would have looked like: 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET /?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA HTTP/1.1" 200 5264 "-" "-" As a more normal use of a webserver. Even requests made of virtual hosts, don't put the domain name into the GET request. Hostnames are handled elsewhere in the connection (during the connection, not at the request after the connection). And even something like crap webmastering/typing, that did something wrong like trying to connect to: http://www.example.com/http://www.example.com/pages/test.html Would result in a different appearance in the log. You'd see it prepended with a slash, and a 404 error code instead of 200. 192.168.1.181 - - [06/Mar/2014:01:06:17 +1030] "GET /http://www.example.com/pages/test.html. HTTP/1.1" 404 407 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36" -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
