logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Getting Some Bad Lines in my Access Log File
Author
seismicmike



Joined: 19 Jul 2016
Posts: 3
Location: US

PostPosted: Tue 19 Jul '16 21:53    Post subject: Getting Some Bad Lines in my Access Log File Reply with quote

I run a LAMP stack that hosts about 100 virtual hosts. Each virtual Host logs to its own CustomLog file using the "combined" format.

For one of these log files (just the one so far), our AWStats parser is choking on the log file citing bad data. It says that not all the lines are in the "custom log" format.

When I look at the lines in question, it appears to me like the lines have been.... I don't know the word.... "decapitated"? Like the opposite of truncated. "Append" is to "Truncate" as "Prepend" is to "Decapitate" in this context.

What I mean is, it looks like the line starts somewhere in the middle of the line.

Example:

Good Line
Quote:

123.123.123.123 - - [19/Jul/2016:13:11:19 -0400] "HEAD /blog/compensation-plans-commercial-lenders HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome)"


Bad Line
Quote:

ozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"


See how it starts in the middle of the word "Mozilla"? It's like it cut off the first 100 or so characters of the line.

Here's a different example:
Quote:

1%C3%82%C2%AC%C3%83%C2%A2%C3%A2%E2%82%AC%C5%BE%C3%82%C2%A2s-strategic-plan?page=60 HTTP/1.1" 200


Does anyone know what might be causing this? It's not a super urgent problem. Our site is up and running as far as anybody on the front end can tell, but AWStats is completely unable to parse the logs.

I appreciate any help! Thanks Smile

Apache version: 2.2.15
Operating system: CentOS 6
PHP Version: 5.5.36
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 22 Jul '16 0:25    Post subject: Reply with quote

Some one is trying to hack your server. Such things happen on most servers.

if you are worried mod_security can be your friend.
Back to top
seismicmike



Joined: 19 Jul 2016
Posts: 3
Location: US

PostPosted: Fri 22 Jul '16 0:29    Post subject: Reply with quote

Hmm. Interesting.

Does this indicate a successful hack or just a hack attempt that may or may not have been successful?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 22 Jul '16 0:40    Post subject: Reply with quote

That single line doesn indicate anything.
Back to top
seismicmike



Joined: 19 Jul 2016
Posts: 3
Location: US

PostPosted: Fri 22 Jul '16 0:42    Post subject: Reply with quote

Hmm. OK. Thanks. I'll see what I can get from mod_security
Back to top


Reply to topic   Topic: Getting Some Bad Lines in my Access Log File View previous topic :: View next topic
Post new topic   Forum Index -> Apache