Here is a typical session
Code:
120.28.68.216 - - [02/Jul/2013:09:08:52 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:06 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:11 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:12 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:13 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:14 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:15 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1421 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:09:09:20 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:36 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:44 +1200] "GET /\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8167 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:49 +1200] "GET /login HTTP/1.1" 200 9611 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/drupal.js HTTP/1.1" 200 6184 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:50 +1200] "GET /misc/jquery.js HTTP/1.1" 200 21308 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:51 +1200] "GET /portfolio HTTP/1.1" 200 10200 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:52 +1200] "GET /product-range HTTP/1.1" 200 10121 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:54 +1200] "GET /request-quote HTTP/1.1" 200 22582 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:52:55 +1200] "GET /resources HTTP/1.1" 200 8902 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:07 +1200] "GET /contact HTTP/1.1" 200 9690 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:08 +1200] "GET /misc/textarea.js HTTP/1.1" 200 1596 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/collapse-fix.js HTTP/1.1" 200 1420 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:09 +1200] "GET /modules/jquery_update/compat-1.0.js HTTP/1.1" 200 2558 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:10 +1200] "GET /node/1 HTTP/1.1" 301 584 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:11 +1200] "GET / HTTP/1.1" 200 9694 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:12 +1200] "GET /node/33 HTTP/1.1" 200 9192 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:13 +1200] "GET /node/35 HTTP/1.1" 200 14359 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:15 +1200] "GET /node/10 HTTP/1.1" 301 618 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:17 +1200] "GET /node/5 HTTP/1.1" 301 603 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:19 +1200] "GET /node/7 HTTP/1.1" 301 605 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:21 +1200] "GET /node/8 HTTP/1.1" 301 597 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:26 +1200] "GET /node/9 HTTP/1.1" 301 601 "-" "Java/1.7.0_17"
120.28.68.216 - - [02/Jul/2013:10:53:31 +1200] "GET /login/\" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 404 8168 "-" "Java/1.7.0_17"
The source IP's I've checked seem to be consumer ranges in europe.
It's not so different to a lot of the general "log noise" but the quoted variable in the request jumped out at me.
It gives a truckload of hits on a search, all seemingly on this block of code in the page source where gaJsHost is declared as a variable.
Code:
<div id="id4" style="height: 293px; left: 711px; position: absolute; top: 1434px; width: 274px; z-index: 1; " class="style_SkipStroke_4 shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_274_293" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-top: 0pt; " class="Free_Form"><script type="text/javascript"><br /></p>
<p class="Free_Form">var gaJsHost = (("https:" == document.location.protocol) ? "<a title="https://ssl" href="https://ssl">https://ssl</a>." : "http://www.");<br /></p>
<p class="Free_Form">document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));<br /></p>
<p class="Free_Form"></script><br /></p>
<p class="Free_Form"><script type="text/javascript"><br /></p>
<p class="Free_Form">try {<br /></p>
<p class="Free_Form">var pageTracker = _gat._getTracker("UA-10869925-1");<br /></p>
<p class="Free_Form">pageTracker._trackPageview();<br /></p>
<p style="padding-bottom: 0pt; " class="Free_Form">} catch(err) {}</script></p>
</div>
</div>
</div>
Wondering if it is an attempt to misuse or exploit google-analytics in some way?