Understanding my error logs

pc · 06-02-1999, 01:45 PM

Hi,
Does anyone know of a place to get information on interpreting your error logs?

I have things on mine that I don't understand. Here's an example: %% [Wed May 26 22:17:12 1999] GET /cgi-bin/cframes/compose?disk=216.32.180.74_d705&login=mrideas29&f=33793&a mp;curmbox=ACTIVE&_lang= HTTP/1.0

What is that?

Thank you!
[This message has been edited by pc (edited 06-02-99)]

fuddmain · 06-16-1999, 09:32 AM

I don't have any info on interpreting error logs (as I haven't looked at mine yet), but I can decipher the example you cited.

Basically, that's an HTTP request header sent by a web agent (browser, robot, etc.). The "GET" part is the agent stating it wants to receive a particular resource.  In this case that resource is "/cgi-bin/cframes/compose".  All the stuff after the "?" are arguments to be passed to "compose".  If you split that junk on the "&" you are left with:

disk=216.32.180.74_d705
login=mrideas29
f=33793
curmbox=ACTIVE
_lang=

The HTTP/1.0 part is the agent telling the server which version of HTTP it would like to use.

Anyway, "compose" should have variables named disk, login, f, curmbox and _lang.  Presumably, compose can take the values assigned to these, do some magic and return something to the agent.

This probably showed up in your error log because there is no "/cgi-bin/cframes/compose" resource at your site.

This may be more info than you need, but I hope it helps.  I've just learned about HTTP myself, so there may be other people who could shed more light.

For more info on HTTP, head to www.w3.org or pick up "Web Client Programming with Perl" by O'Reilly.
------------------
Brian
fuddmain@gdi.net
[This message has been edited by fuddmain (edited 06-16-99)]

pc · 06-16-1999, 10:33 PM

Thank you. Still a bit above my head but a little clearer.

I really don't understand where these odd requests come from when there is no such program in my cgi bin. That is what confuses me. I understand some of the things in my logs, like when I'm trying to install something and it's not working.

I'll check the url you left and see if that can clarify things for me ever more.

Charles Capps · 06-17-1999, 12:04 AM

Hm, that looks a LOT like a hotmail URL...! Is that the only instance? Weird...

------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/

pc · 06-17-1999, 12:42 AM

No, there have been more similar entries. There are lots of bizarre things in my logs. That's why I'm trying to understand them.

If that 216.32.180.74 is an IP address, it belongs to:
Exodus Commnications Inc. (NETBLK-ECI-7)
1605 Wyatt Dr.
Santa Clara CA 95054

Netname: ECI-7
Netblock: 216.32.0.0 - 216.35.255.255
Maintainer: ECI
Coordinator:
DeLong, Owen  (OD19-ARIN)  owen@DELONG.SJ.CA.US
(408) 539-9559 (408)-532-9362

Domain System inverse mapping provided by:
NS.EXODUS.NET                206.79.230.10
NS2.EXODUS.NET               207.82.198.150

Here's some more strange ones that happen over and over:
[Mon May 31 16:40:41 1999] GET /cgi-bin/dmailweb.exe?cmd=item&u...ld=0&& HTTP/1.0

[Mon Apr 19 16:11:23 1999] GET /cgi-bin/dmailweb.cgi?cmd=item&i...rt=5&fld=0 HTTP/1.1

[Sat Apr 24 21:30:42 1999] GET /cgi-bin/dmailweb.cgi?cmd=item&i...rt=5&fld=0 HTTP/1.1

[Thu May  6 00:53:49 1999] GET /cgi-bin/mailweb.cgi?cmd=item&ut...ld=0&& HTTP/1.1

????

**Terra** · 06-17-1999, 12:57 AM

Possibly someone is scanning/probing your domain for these particular programs... There could be a potential exploit in those programs, if you were to have them...

--
Terra
--What? me paranoid?!?--
FutureQuest

pc · 06-17-1999, 01:04 AM

Nope, don't have 'em. The only things I have is a recommend thing (birdcast), webadverts, and a guestbook. Oops, forgot I just added UBB.

You and Deb have assured me there's no problem with these, I just want to figure out why I keep getting so MANY of these errors.

I have a partially free day tomorrow, so I'm going to try and read up on the url fuddmain supplied, so I'll understand these things better.

Maybe then I'll understand all these smart techies

that post in these forums. It's hard when you're Internet challenged.

fuddmain · 06-17-1999, 07:39 AM

I did a search on "dmailweb.exe" and came up with the following url: http://netwinsite.com/dmailweb/index.htm.  Apparently, it's a way to provide web-based email on your site.  Terra's thought on someone trying to exploit these programs is probably valid, but you don't have them installed, so no worries.

You're going to find lot's of wierd stuff in your log as times goes on.  It's very easy to write robots which scour the web searching for various information.  Most are benign and are written by folks trying to save a little time.  If they become a nuisance, there are steps you can take to limit their access to your site.

Don't worry about being internet challeged.  It wasn't that long ago that I was in the same boat.  Then the company I work for gave me their website project and I had to sink or swim.  I found out it wasn't too hard and being a geek is cool. I know, I know, I'm a sick puppy.

------------------
Brian
brian@fuddmain.com