[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Identical http request in log file

> > > > Is this a security problem at my site? How can I prevent
> > > > this without
> > > > limiting access to certain ip addresses? I'm using SuSE 8.0 with all
> > > > patches applied.
> > > >
> > > > Any hint is appreciated. Thanks in advance.
> > >
> > > I'm guessing your user has spyware on his machine.
> > > If its windows he should try spybot search and destroy
> > > or adaware.
> >
> > This was my first thought, too. But spybot and an additional
> > virus scan did
> > not produce any significant result.
> If it is limited to that single user it would have to be somewhere on
> his end, or along the route to you.  Perhaps a traceroute from
> his end would reveal something - maybey a caching proxy server
> between him and you.
> Also a netstat -an from his machine immediatly (within a second)
> of requesting a page on your site might reveal odd connections
> to some other site.
> If you ever figure it out besure to post here as this is
> quite interesting.

I gathered some additional info on this topic:
I'm running different webservers (virtual hosts) on one ip address. If the
"supicious" user connects to server A the request is doubled. At host B not.
Another user connecting to host A show _no_ doubled request, too. This
problem only occurs if this specific user connects to host A.

I reviewed all scripts (.php, .cgi) and their rights on host A but I didn't
find any suspicous changes. If this problem would be related to this user
than it must occur on every host he connects to. If it is related to my host
A than it should occur with every user.

My paranoia is still rising :)

Any clues?


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here