Odd site log entry

Posted by joy


Recently, I started finding “username” entries in my Web stats program. At first I feared someone possibly cracked my box, but the mysterious users only visited for a short bit and they only apparently reached my Web server. The only two Web serving programs I have are Apache and WordPress. My Apache install is maintained by my wonderful webhost, while the WordPress install is maintained by me, and I hadn’t approved any other members as of yet. So, after the initial findings, I waited to see if the mysterious log entries would appear again, so I could track them. Here is an entry which recorded a username today.

68.116.223.103 //IP addy
- www.carvir //unknown fields, “www.carvir” recorded as username
[14/Jul/2004:07:31:22 -0400] //date, time
“GET / HTTP/1.0″ //HTTP request
200 23667 //HTTP code, bytes sent
“-” //Referer string
“Mozilla/3.0 (compatible)” //User Agent (this looks like a bot)

I’m not an HTTP expert, but I think after seeing this log entry, that second part where the “- www.carvir” appears is possibly where a username/password is passed along to the server.

Just for kicks here is a normal looking entry for comparison….

[IP addy]
- -
[14/Jul/2004:11:23:17 -0400]
“GET /archives/office-depothewlett-packard-summer-offer-to-recycle-consumer-electonics/ HTTP/1.1″
200 5052
“http://www.mikemcbrideonline.com/blogger.html”
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2″


2 Responses to “Odd site log entry”

  1. me Says:

    Indeed, just a bot that sends out HTTP GETs with standard authentication things.
    Probably fishing around.

  2. Confessions of a G33k :: Bots configured badly Says:

    […] 2:37 pm

    While I was checking my Web site logs last night I noticed another strange “guest” username entry. So armed with my monthly Apache logs and the grep command […]