Suspicious looking Apache log entries

linuxpyro · 04-22-2004, 08:45 PM

I recently checked my Apache access log, and found these lines:

67.21.84.213 - - [22/Apr/2004:19:19:55 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:19:56 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:19:57 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:00 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:01 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:03 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:04 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:06 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:08 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:09 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:11 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:13 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:15 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:17 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:19 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:20 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:22 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:23 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:25 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:26 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:29 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:31 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:32 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:35 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:36 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:38 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:39 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:41 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:20:51 -0700] "GET / HTTP/1.0" 200 747
67.21.84.213 - - [22/Apr/2004:19:21:49 -0700] "GET / HTTP/1.1" 200 747

I've seen this sort of thing in other places, too. It looks like the work of a script rather than a person. Is this some kind of breakin attempt? Anyone had this happen before? Interestingly, I did a lookup of the IP address, and found that it belonged to an ISP customer in my area.

markus1982 · 04-24-2004, 11:20 AM

Well from this point of view it looks like legitimate traffic (just a normal GET-REQUEST). However for further information you probably should take a look at mod_security (www.modsecurity.org) and it's logging capabilities.

linuxpyro · 04-24-2004, 08:11 PM

Ok, I'll check that out. It just seems odd though, as it occures in such rapid succession.

Inexactitude · 04-24-2004, 11:02 PM

I get similiar log entries, except it reports the operating system and browser. The operating system is always "Windows 98" and the browser is always IE 5.5. It's a little strange, but doesn't seem to have any malignant effects.

linuxpyro · 04-25-2004, 02:54 PM

Thanks, I guess it could just be some little quirk of Windoze or something. As long as it's not some script kiddie I really don't mind...