Odd requests in the http server access log











up vote
1
down vote

favorite












I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"









share|improve this question




















  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago















up vote
1
down vote

favorite












I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"









share|improve this question




















  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"









share|improve this question















I switched to Nnginx from Apache, and took a look at the access logs. There are some requests scanning for phpMyAdmin etc, but I was surprised to find requests for weird sites. For example:



156.201.91.152 - - [14/Nov/2018:23:43:14 +0100] "GET http://yastatic.net/bootstrap/3.3.6/css/bootstrap.min.css HTTP/1.1" 404 234 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"


I have no clue what yastatic.net or bootstrap.min.css are. I have a number of those isolated requests giving 404. I went to check the access log for my old Apache instance, and there they can be found too, but with a 302 status code.



Any clue what that is about?



A got other weird ones. Here is someone asking for http://www.bing.com/, apparently coming from a google search results page:



46.119.114.237 - - [14/Nov/2018:23:15:58 +0100] "GET http://www.bing.com/ HTTP/1.1" 200 5616 "http://www.google.co.uk/search?q=%3Ctitle%3EBing%3C%2Ftitle%3E%20www.bing.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) (Prevx 3.0.5)"






http






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 11 hours ago









JakeGould

30.5k1093134




30.5k1093134










asked 15 hours ago









luntain

228128




228128








  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago














  • 1




    There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
    – Worthwelle
    15 hours ago










  • What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
    – JakeGould
    11 hours ago








1




1




There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
– Worthwelle
15 hours ago




There's some information on this here. It looks like someone is port scanning your server for vulnerabilities.
– Worthwelle
15 hours ago












What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
– JakeGould
11 hours ago




What was your site hosting before? You mention Nginx and Apache as if that switch means something. It doesn’t. All you are noticing is Apache would redirect these requests to your root (I assume) and Nginx is simply dropping dead in it’s tracks. The reality is your site is being probed with tons of fake requests by a bot scanning you. Don’t take it personally: Every website in the modern world is being endlessly scanned. I would not lose sleep over this.
– JakeGould
11 hours ago










1 Answer
1






active

oldest

votes

















up vote
0
down vote













Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375494%2fodd-requests-in-the-http-server-access-log%23new-answer', 'question_page');
    }
    );

    Post as a guest
































    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



    I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






    share|improve this answer

























      up vote
      0
      down vote













      Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



      I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



        I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.






        share|improve this answer












        Someone is asking your server for the page http://yastatic.net... We can only speculate at the reasons why.



        I think the most likely cause is either a bot which is incorrectly configured or something trying to fingerprint / exploit your system. There are other possible explanations but they would seem less likely as the IP addresses requesting this change are very different over a not-that-long time period. Similarly the browser strings are very different and appear to have been picked up from someone elses logs.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 12 hours ago









        davidgo

        41k74684




        41k74684






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375494%2fodd-requests-in-the-http-server-access-log%23new-answer', 'question_page');
            }
            );

            Post as a guest




















































































            Popular posts from this blog

            AnyDesk - Fatal Program Failure

            How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

            QoS: MAC-Priority for clients behind a repeater