Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Getting Some Bad Lines in my Access Log File |
|
| Author |
|
seismicmike
Joined: 19 Jul 2016
Posts: 3
Location: US
|
 Posted: Tue 19 Jul '16 21:53 Post subject: Getting Some Bad Lines in my Access Log File |
 |
|
I run a LAMP stack that hosts about 100 virtual hosts. Each virtual Host logs to its own CustomLog file using the "combined" format.
For one of these log files (just the one so far), our AWStats parser is choking on the log file citing bad data. It says that not all the lines are in the "custom log" format.
When I look at the lines in question, it appears to me like the lines have been.... I don't know the word.... "decapitated"? Like the opposite of truncated. "Append" is to "Truncate" as "Prepend" is to "Decapitate" in this context.
What I mean is, it looks like the line starts somewhere in the middle of the line.
Example:
Good Line
| Quote: |
123.123.123.123 - - [19/Jul/2016:13:11:19 -0400] "HEAD /blog/compensation-plans-commercial-lenders HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/47.0 (Chrome)"
|
Bad Line
| Quote: |
ozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
|
See how it starts in the middle of the word "Mozilla"? It's like it cut off the first 100 or so characters of the line.
Here's a different example:
| Quote: |
1%C3%82%C2%AC%C3%83%C2%A2%C3%A2%E2%82%AC%C5%BE%C3%82%C2%A2s-strategic-plan?page=60 HTTP/1.1" 200
|
Does anyone know what might be causing this? It's not a super urgent problem. Our site is up and running as far as anybody on the front end can tell, but AWStats is completely unable to parse the logs.
I appreciate any help! Thanks 
Apache version: 2.2.15
Operating system: CentOS 6
PHP Version: 5.5.36 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Fri 22 Jul '16 0:25 Post subject: |
|
|
Some one is trying to hack your server. Such things happen on most servers.
if you are worried mod_security can be your friend. |
|
| Back to top |
|
seismicmike
Joined: 19 Jul 2016
Posts: 3
Location: US
|
| Posted: Fri 22 Jul '16 0:29 Post subject: |
|
|
Hmm. Interesting.
Does this indicate a successful hack or just a hack attempt that may or may not have been successful? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Fri 22 Jul '16 0:40 Post subject: |
|
|
| That single line doesn indicate anything. |
|
| Back to top |
|
seismicmike
Joined: 19 Jul 2016
Posts: 3
Location: US
|
| Posted: Fri 22 Jul '16 0:42 Post subject: |
|
|
| Hmm. OK. Thanks. I'll see what I can get from mod_security |
|
| Back to top |
|
|
|
|
|
|
