Odd requests in the http server access log











up vote
1
down vote

favorite












I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"





http







share|improve this question




















  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago















up vote
1
down vote

favorite












I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"





http







share|improve this question




















  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"





http







share|improve this question















I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"





http




http






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 11 hours ago









JakeGould

30.5k1093134




30.5k1093134










asked 15 hours ago









luntain

228128




228128








  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago














  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago








1




1




There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
– Worthwelle
15 hours ago




There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
– Worthwelle
15 hours ago












What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
– JakeGould
11 hours ago




What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
– JakeGould
11 hours ago










1 Answer
1






active

oldest

votes

















up vote
0
down vote













Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375494%2fodd-requests-in-the-http-server-access-log%23new-answer', 'question_page');
    }
    );

    Post as a guest


















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



    I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






    share|improve this answer

























      up vote
      0
      down vote













      Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



      I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



        I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






        share|improve this answer












        Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



        I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 12 hours ago









        davidgo

        41k74684




        41k74684






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375494%2fodd-requests-in-the-http-server-access-log%23new-answer', 'question_page');
            }
            );

            Post as a guest






































































            -

            Popular posts from this blog

            QoS: MAC-Priority for clients behind a repeater

            Image
            1 1 I've setup a wireless network using a Linksys-Router (DD-WRT) as an AP and a TP-Link repeater for range extension. To manage bandwith for specific users, I've setup QoS-Rules on the AP (DD-WRT) using MAC-Priority: However the AP shows only the Repeater's MAC and the MACs of users inside the AP-Range. The MAC addresses of users behind the Repeater are not listed : The purple MAC is not listed in the AP-Clientlist. Its related to a device connected via the TP-Link repeater. Q: How can I setup MAC-Priority for repeater-clients? Do I simply add the purple MAC in AP-MAC priority list although it's not listed as a client? I want to setup specific priority instead of giving one priority for all clients behind the repeater by adding the repeater's MAC in the MAC priority list in the AP as
            Read more

            Ивакино (Тотемский район)

            Image
            У этого топонима есть и другие значения, см. Ивакино. Деревня Ивакино 59°42′01″ с. ш. 42°01′36″ в. д. H G Я O Страна Россия   Россия Субъект Федерации Вологодская область Муниципальный район Тотемский район Сельское поселение Погореловское История и география Тип климата умеренно-континентальный Часовой пояс UTC+3 Население Население 33 человека ( 2002 ) Национальности русские Цифровые идентификаторы Почтовый индекс 161327 Код ОКАТО 19 246 848 008 Код ОКТМО 19 646 448 136 Прочее Рег. номер 6261 Показать/скрыть карты Ивакино Ивакино Ивакино Ивакино — деревня в Тотемском районе Вологодской области. Входит в состав Погореловского сельского поселения [1] , с точки зрения административно-территориального деления — в Погореловский сельсовет. Расстояние по автодороге до районного центра Тотьмы — 61,5 км, до центра муниципального образования деревни Погорелово — 1,5 км.
            Read more

            Can't locate Autom4te/ChannelDefs.pm in @INC (when it definitely is there)

            Image
            up vote 1 down vote favorite I've been running into trouble running make for a build process that I know works on a 32-bit Ubuntu VM. I am running a 64-bit Ubuntu VM, and I have a feeling that the 64-bit may be the problem, but am not entirely sure. Basically, when I run the make command, I get the following error: Can't locate Autom4te/ChannelDefs.pm in @INC (@INC contains: [...]/staging_dir/host/share/autoconf /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at [...]/staging_dir/host/bin/autoreconf line 40. Now if I navigate to [...]/staging_dir/host/share/autoconf I can see that, contrary to what autoreconf thinks, Autom4te/ChannelDefs.pm definitely exists, so I don't really understand what
            Read more