03-29-2003, 11:38 PM
Looking through my server stats I've ntoiced a few weird referers, most notably:
Field blocked by Outpost (http://www.agnitum.com)
I understand Outpost is a firewall but how does that relate to referers? Would this be a direct request by someone using Outpost maybe?
03-29-2003, 11:43 PM
i've got a proxy that says it has an option to block referrers. i've never tried ( probably never will ), but as i understand it, it messes with the http header. i'm guessing that Outpost is doing the same, and almost assuredly at the user's request. as for the other one, i would guess it's probably the same type of thing
03-29-2003, 11:44 PM
Some http filtering softwares, proxies or firewalls remove some headers, either for security, privacy or client restrictions. Referer, User-Agent and Server are common to blank out or edit.
Nimda leaves strings of X's. I'll post a line from my log (wrapped so the forum isn't screwed up). Was it anything like this?
220.127.116.11 - - [29/Mar/2003:22:23:33 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 267