Strange 404 entries generated from page title. Should I worry?

Discussion in 'Site & Server Administration' started by helleborine, Apr 11, 2007.

0
  1. #1
    I have come across strange 404 requests in my logs and I wonder what they are. Below is a sample of my raw logs. There are many lines of entry like these.

    These illegitimate requests tend to end with "_files/ads", "_archivos/ads.htm" or "-Dateien/ads.htm"

    The IPs come from all over the world and appear legitimate.

    There is no common ground of ISP or operating system.

    The PAGE TITLE appears in the GET request, with "%20" replacing the spaces, and terminated with "_files/ads" or "-Dateien/ads.htm" or some alphanumeric code like "CA2FU7E9.html" (this code is sometimes much, much longer). Therefore, I suspect they are automatically generated from the TITLE TAG contents. Weird. The fact that the word "ads" makes me worry that somehow my website content is being displayed in an unauthorized manner.

    Should I worry? 

    
"GET /IFRAME%20SRC=%220vertmenu.html%22%20WIDTH=120%20HEIGHT=600%20border=0%3E HTTP/1.1" 404 - "http://mydomain.com/2victorian6.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11" 
"GET /IFRAME%20SRC=%220vertmenu.html%22%20WIDTH=120%20HEIGHT=600%20border=0%3E HTTP/1.1" 404 - "http://mydomain.com/2poppies.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 
"GET /IFRAME%20SRC=%220vertmenu.html%22%20name=%22Free_Knitting_Patterns%22%20border=%220%22%20alt=%22Free%20Cable%20Knitting%20Patterns%22%20WIDTH=120%20HEIGHT=1800%20border=0%3E HTTP/1.1" 404 - "http://mydomain.com/1set02.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" 
"GET /Pansies%20Round%20Window%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2pansyround.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Scottish%20Thistle%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2fancythistle.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Pine%20Cone,%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2pinecone.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Family%20Tree%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2familytree.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Oriental%20Poppies%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2poppies.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Art%20Nouveau%20Lilies%20Cable%20Knitting%20Pattern_files/0vertmenu.htm HTTP/1.1" 404 - "http://mydomain.com/2artnouveaulilies.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
"GET /Fence%20Repeat%20Cable%20Knitting%20Pattern-Dateien/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2fencerepeat.html" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1)" 
"GET /Greenman%20Cable%20Knitting%20Pattern_files/CAU78DKT.htm HTTP/1.1" 404 - "http://mydomain.com/2greenman.html" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
"GET /Tabby%20Kitten%20Cable%20Knitting%20Pattern_files/CA1HUWA6.htm HTTP/1.1" 404 - "http://mydomain.com/2tabbykitten.html" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
"GET /Plumeria%20(Frangipani)%20Cable%20Knitting%20Pattern_files/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2plumeria.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
"GET /Red%20Wing%20Blackbird%20Cable%20Knitting%20Pattern_files/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2redwingblackbird.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
"GET /King's%20Bird%20of%20Paradise%20Cable%20Knitting%20Pattern_files/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2kingbop.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
"GET /Asiatic%20Lily%20Cable%20Knitting%20Pattern_files/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2asiaticlily.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
"GET /Oval%20Oriental%20Poppies%20Cable%20Knitting%20Pattern_files/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2ovalpoppies.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 
"GET /Gothic%20Wheat%20Cable%20Knitting%20Pattern-Dateien/ads.htm HTTP/1.1" 404 - "http://mydomain.com/2gothicwheat.html" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1)" 
"GET /Free%20Cable%20Knitting%20Patterns_files/CA2FU7E9.htm HTTP/1.1" 404 - "http://mydomain.com/1set08.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
"GET /Free%20Cable%20Knitting%20Patterns2_files/CARAWZND.htm HTTP/1.1" 404 - "http://mydomain.com/1set03.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 
"GET /Free%20Cable%20Knitting%20Patterns4_archivos/ads.htm HTTP/1.1" 404 - "http://mydomain.com/1set04.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 
"GET /Free%20Cable%20Knitting%20Patterns5_archivos/ads.htm HTTP/1.1" 404 - "http://mydomain.com/1set05.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 
"GET /Free%20Cable%20Knitting%20Patterns6_archivos/ZYCALRCFV2CAVFZE73CAYW2WCQCA65OHQFCAUPVY29CAGWMKLYCAACSTP3CAD53GXICAKC5TSLCABMP8UCCAXGVL6KCANIZS0NCAC36B93CAVLBKTHCAR0TUNACAYJV6DNCAI62FBF.htm HTTP/1.1" 404 - "http://mydomain.com/1set06.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 
"GET /Free%20Cable%20Knitting%20Patterns8_archivos/8OCA69857LCABGT9ARCAZZ6POXCAPQWZU0CAEZCS7ZCADA85VHCA4ZN1ZNCAW359N2CAK8M0MXCA232EN5CATL0ANDCAKLAKBGCANYO2MACAGE2PL9CA5FR6LACAJ7S1NZCAETTMTN.htm HTTP/1.1" 404 - "http://mydomain.com/1set08.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 
"GET /Asiatic%20Lily%20Cable%20Knitting%20Pattern_files/CAB8J7T8.htm HTTP/1.1" 404 - "http://mydomain.com/2asiaticlily.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)"
    Code (markup):
     
    helleborine, Apr 11, 2007 IP
  2. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #2
    unfortunately you removed part of the raw file data
    hence a full analysis is impossible

    but

    i have a buch of comparable lines as well
    usually such lines come from faulty browsers/clients software and nothing to worry about

    if such requests come from a precise number of IPs then you may deny access to those IPs

    most of the 404 i have come from IE creating WRONG URLs resulting in a 404 error
     
    hans, Apr 11, 2007 IP
  3. helleborine

    helleborine Well-Known Member

    Messages:
    915
    Likes Received:
    70
    Best Answers:
    0
    Trophy Points:
    120
    #3
    I only removed the IP numbers and changed the domain name to protect the innocents!

    A friend told me these might be poorly configured proxies that show ads, hence the word "AD" that is included in the malformed URLs.

    So, probably nothing sinisters, just pollution of my 404 reports.
     
    helleborine, Apr 12, 2007 IP