Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Hello all,
while analysing the lighttpd access.log, I 've found some entries I don't understand:
192.168.0.10 192.168.0.20 - [31/Jan/2012:20:46:02 +0100] "GET /favicon.ico HTTP/1.1" 200 822 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" 58.218.199.147 www.intute.us - [31/Jan/2012:21:21:32 +0100] "GET http://www.intute.us/pr.php HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
What does this remote IP from China in this log (last entry)? and the referent is not my site at all!
how to get rid of this? (I already blocked this ip in Lighttpd, but still appearing in the log...)
Offline
The first entry is simply the browser (on your local subnet) trying to get an icon to use in the favorites list display.
The second entry is a remote file access attempt (looking for a backdoor) but the file is not found, hence the 404 error.
Offline
FunFiler wrote:
The first entry is simply the browser (on your local subnet) trying to get an icon to use in the favorites list display.
The second entry is a remote file access attempt (looking for a backdoor) but the file is not found, hence the 404 error.
yes, ok for this, but in the
58.218.199.147 www.intute.us - [31/Jan/2012:21:21:32 +0100] "GET http://www.intute.us/pr.php HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
the "58.218.199.147" is not my IP, and the "www.intute.us" and "http://www.intute.us/pr.php" are not my website at all?
it was the reason of my question...
Offline
58.218.199.147 is the IP of the sender. And www.intute.us is the domain referred to in the HTTP request header.
capitainabloc wrote:
the "www.intute.us" and "http://www.intute.us/pr.php" are not my website at all?
That doesn't matter. Eventhough this is not your domain, it's quite easy to sent a HTTP request header to any IP address with any domain in it.
The easiest one is to put
192.168.0.20 example.com
in your hosts file. When you then type example.com in your browser, you'll see a line 'example.com' in your serverlog. (Maybe you'll have to reboot after editing hosts, depending on the OS).
(BTW, you can tell lighttpd to serve different web pages for different domains. This is called 'virtual hosts', and is also the reason that the domainnames are provided in the HTTP request header.
This can also add a level of security. Scans for vulnerabilities in a webserver are mostly sent to your plain public IP address, or to some fake domain. So by serving an empty page on all domains except your DynDNS domain, the probability that a vulnerability will be found is lowered.)
Offline