LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-01-2013, 04:49 PM   #1
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,608

Rep: Reputation: 423Reputation: 423Reputation: 423Reputation: 423Reputation: 423
gaJsHost in apache logs


I've been finding the following in my apache logs (on a drupal instance if it matters):
Code:
[01/Jul/2013:01:14:27 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.6.0_04"
There have also been '200' hits on pages that do contain the ga script.

Anyone in the know about googly stuff can shed any light?

It looks suspect to me, but searching has so far only shown up info on setting up GA.
 
Old 07-02-2013, 01:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
The "Java/1.6.0_04" UA tells you it's (posing as) a Java process (IIRC v1.6.0 is defunct anyway) and it's obviously a badly constructed request. Unless there's more nfo you haven't shared there's nothing much to say except that since it results in a 404 it's OK. BTW the fact you talk about getting 200's also but not showing any lines for comparison (same host? same UA?) doesn't help.
 
Old 07-02-2013, 05:31 AM   #3
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,608

Original Poster
Rep: Reputation: 423Reputation: 423Reputation: 423Reputation: 423Reputation: 423
Here is a typical session
Code:
120.28.68.216 - - [02/Jul/2013:09:08:52 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:06 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:13 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:14 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:15 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1421 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:36 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:44 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:49 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:51 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:52 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:54 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:55 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:07 +1200] "GET /contact HTTP/1.1" 200 9690 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:08 +1200] "GET /misc/textarea.js HTTP/1.1" 200 1596 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1420 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:10 +1200] "GET /node/1 HTTP/1.1" 301 584 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:11 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:12 +1200] "GET /node/33 HTTP/1.1" 200 9192 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:13 +1200] "GET /node/35 HTTP/1.1" 200 14359 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:15 +1200] "GET /node/10 HTTP/1.1" 301 618 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:17 +1200] "GET /node/5 HTTP/1.1" 301 603 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:19 +1200] "GET /node/7 HTTP/1.1" 301 605 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:21 +1200] "GET /node/8 HTTP/1.1" 301 597 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:26 +1200] "GET /node/9 HTTP/1.1" 301 601 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:31 +1200] "GET /login/\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8168 "-" "Java/1.7.0_17"
The source IP's I've checked seem to be consumer ranges in europe.
It's not so different to a lot of the general "log noise" but the quoted variable in the request jumped out at me.

It gives a truckload of hits on a search, all seemingly on this block of code in the page source where gaJsHost is declared as a variable.
Code:
<div id="id4" style="height: 293px; left: 711px; position: absolute; top: 1434px; width: 274px; z-index: 1; " class="style_SkipStroke_4 shape-with-text">
              <div class="text-content graphic_textbox_layout_style_default_External_274_293" style="padding: 0px; ">
                <div class="graphic_textbox_layout_style_default">
                  <p style="padding-top: 0pt; " class="Free_Form">&lt;script type=&quot;text/javascript&quot;&gt;<br /></p>
                  <p class="Free_Form">var gaJsHost = ((&quot;https:&quot; == document.location.protocol) ? &quot;<a title="https://ssl" href="https://ssl">https://ssl</a>.&quot; : &quot;http://www.&quot;);<br /></p>
                  <p class="Free_Form">document.write(unescape(&quot;%3Cscript src='&quot; + gaJsHost + &quot;google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E&quot;));<br /></p>
                  <p class="Free_Form">&lt;/script&gt;<br /></p>
                  <p class="Free_Form">&lt;script type=&quot;text/javascript&quot;&gt;<br /></p>
                  <p class="Free_Form">try {<br /></p>
                  <p class="Free_Form">var pageTracker = _gat._getTracker(&quot;UA-10869925-1&quot;);<br /></p>
                  <p class="Free_Form">pageTracker._trackPageview();<br /></p>
                  <p style="padding-bottom: 0pt; " class="Free_Form">} catch(err) {}&lt;/script&gt;</p>
                </div>
              </div>
            </div>
Wondering if it is an attempt to misuse or exploit google-analytics in some way?
 
Old 07-04-2013, 01:15 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
Hmmm. See http://www.projecthoneypot.org/ip_120.28.68.216.
 
Old 07-04-2013, 01:52 AM   #5
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,608

Original Poster
Rep: Reputation: 423Reputation: 423Reputation: 423Reputation: 423Reputation: 423
Yeah, a couple of the other ip's I checked came up with similar results.

I added a fail2ban rule to catch requests with the variable string, but it seems to have tailed off now.

Am still curious about using the variable in the request but haven't had spare time to look into it further.

On reflection it could simply be a broken scanning script simply requesting any "links" it can parse from the page source and hitting on that line.
 
Old 07-05-2013, 11:34 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
Quote:
Originally Posted by descendant_command View Post
On reflection it could simply be a broken scanning script
...either way they got 404's back for nonexistent stuff (implying the scrapers engine is smart enough to back off eventually) so it's all good, right?
 
Old 07-05-2013, 08:11 PM   #7
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,608

Original Poster
Rep: Reputation: 423Reputation: 423Reputation: 423Reputation: 423Reputation: 423
Yep.
Satisfied it is nothing to worry about now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache logs jdnow09 Linux - Newbie 2 08-31-2009 03:20 PM
About Apache Logs SiLiCoN Linux - Networking 1 05-26-2005 10:34 AM
Apache Logs Valso Linux - Software 2 11-05-2004 03:13 PM
Strange Apache LOGs... TheIrish Linux - Security 3 02-10-2004 01:15 PM
Apache logs - ???Linux logs??? mylo2003 Linux - General 3 08-07-2003 04:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration