gaJsHost in apache logs

descendant_command · 07-01-2013, 04:49 PM

I've been finding the following in my apache logs (on a drupal instance if it matters):

Code:

[01/Jul/2013:01:14:27 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.6.0_04"

There have also been '200' hits on pages that do contain the ga script.

Anyone in the know about googly stuff can shed any light?

It looks suspect to me, but searching has so far only shown up info on setting up GA.

unSpawn · 07-02-2013, 01:24 AM

The "Java/1.6.0_04" UA tells you it's (posing as) a Java process (IIRC v1.6.0 is defunct anyway) and it's obviously a badly constructed request. Unless there's more nfo you haven't shared there's nothing much to say except that since it results in a 404 it's OK. BTW the fact you talk about getting 200's also but not showing any lines for comparison (same host? same UA?) doesn't help.

descendant_command · 07-02-2013, 05:31 AM

Here is a typical session

Code:

120.28.68.216 - - [02/Jul/2013:09:08:52 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:06 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:13 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:14 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:15 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1421 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:36 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:44 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:49 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:51 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:52 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:54 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:55 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:07 +1200] "GET /contact HTTP/1.1" 200 9690 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:08 +1200] "GET /misc/textarea.js HTTP/1.1" 200 1596 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1420 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:10 +1200] "GET /node/1 HTTP/1.1" 301 584 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:11 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:12 +1200] "GET /node/33 HTTP/1.1" 200 9192 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:13 +1200] "GET /node/35 HTTP/1.1" 200 14359 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:15 +1200] "GET /node/10 HTTP/1.1" 301 618 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:17 +1200] "GET /node/5 HTTP/1.1" 301 603 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:19 +1200] "GET /node/7 HTTP/1.1" 301 605 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:21 +1200] "GET /node/8 HTTP/1.1" 301 597 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:26 +1200] "GET /node/9 HTTP/1.1" 301 601 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:31 +1200] "GET /login/\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8168 "-" "Java/1.7.0_17"

The source IP's I've checked seem to be consumer ranges in europe.
It's not so different to a lot of the general "log noise" but the quoted variable in the request jumped out at me.

It gives a truckload of hits on a search, all seemingly on this block of code in the page source where gaJsHost is declared as a variable.

Code:

<div id="id4" style="height: 293px; left: 711px; position: absolute; top: 1434px; width: 274px; z-index: 1; " class="style_SkipStroke_4 shape-with-text">
              <div class="text-content graphic_textbox_layout_style_default_External_274_293" style="padding: 0px; ">
                <div class="graphic_textbox_layout_style_default">
                  <p style="padding-top: 0pt; " class="Free_Form">&lt;script type=&quot;text/javascript&quot;&gt;<br /></p>
                  <p class="Free_Form">var gaJsHost = ((&quot;https:&quot; == document.location.protocol) ? &quot;<a title="https://ssl" href="https://ssl">https://ssl</a>.&quot; : &quot;http://www.&quot;);<br /></p>
                  <p class="Free_Form">document.write(unescape(&quot;%3Cscript src='&quot; + gaJsHost + &quot;google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E&quot;));<br /></p>
                  <p class="Free_Form">&lt;/script&gt;<br /></p>
                  <p class="Free_Form">&lt;script type=&quot;text/javascript&quot;&gt;<br /></p>
                  <p class="Free_Form">try {<br /></p>
                  <p class="Free_Form">var pageTracker = _gat._getTracker(&quot;UA-10869925-1&quot;);<br /></p>
                  <p class="Free_Form">pageTracker._trackPageview();<br /></p>
                  <p style="padding-bottom: 0pt; " class="Free_Form">} catch(err) {}&lt;/script&gt;</p>
                </div>
              </div>
            </div>

Wondering if it is an attempt to misuse or exploit google-analytics in some way?

unSpawn · 07-04-2013, 01:15 AM

Hmmm. See http://www.projecthoneypot.org/ip_120.28.68.216.

descendant_command · 07-04-2013, 01:52 AM

Yeah, a couple of the other ip's I checked came up with similar results.

I added a fail2ban rule to catch requests with the variable string, but it seems to have tailed off now.

Am still curious about using the variable in the request but haven't had spare time to look into it further.

On reflection it could simply be a broken scanning script simply requesting any "links" it can parse from the page source and hitting on that line.

unSpawn · 07-05-2013, 11:34 AM

Quote:

Originally Posted by descendant_command

On reflection it could simply be a broken scanning script

...either way they got 404's back for nonexistent stuff (implying the scrapers engine is smart enough to back off eventually) so it's all good, right?

descendant_command · 07-05-2013, 08:11 PM

Yep.
Satisfied it is nothing to worry about now.