Recently, I started finding “username” entries in my Web stats program. At first I feared someone possibly cracked my box, but the mysterious users only visited for a short bit and they only apparently reached my Web server. The only two Web serving programs I have are Apache and WordPress. My Apache install is maintained by my wonderful webhost, while the WordPress install is maintained by me, and I hadn’t approved any other members as of yet. So, after the initial findings, I waited to see if the mysterious log entries would appear again, so I could track them. Here is an entry which recorded a username today.

68.116.223.103 //IP addy - www.carvir //unknown fields, “www.carvir” recorded as username [14/Jul/2004:07:31:22 -0400] //date, time “GET / HTTP/1.0″ //HTTP request 200 23667 //HTTP code, bytes sent “-” //Referer string “Mozilla/3.0 (compatible)” //User Agent (this looks like a bot)

I’m not an HTTP expert, but I think after seeing this log entry, that second part where the “- www.carvir” appears is possibly where a username/password is passed along to the server.

Just for kicks here is a normal looking entry for comparison….

[IP addy] - - [14/Jul/2004:11:23:17 -0400] “GET /archives/office-depothewlett-packard-summer-offer-to-recycle-consumer-electonics/ HTTP/1.1″ 200 5052 “http://www.mikemcbrideonline.com/blogger.html” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2″

This entry was posted on Wednesday, July 14th, 2004 at 9:15 pm and is filed under Site Info. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.