Someone is hacking me?


http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2416102462


http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=3355631138


http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2952978412


http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=3758293555

How do you think about these referrers? “block” is the keyword to me. I was confused when I saw these referrers in access log. However, I read the whole log, which are related to the client IP of these referrers.

204.117.xxx.xxx - - [07/Dec/2007:00:14:50 -0700] "GET /blog/2007/06/30/team-hoyt-c-a-n/ HTTP/1.1" 200 0 "http://www.google.com/search?q=richard+and+dick+hoyt&hl=en&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:51 -0700] "GET /blog/2007/06/30/team-hoyt-c-a-n/ HTTP/1.1" 200 7774 "http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2416102462" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-content/themes/livibetter/style.css?r=16 HTTP/1.1" 200 6376 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /style.css?r=7 HTTP/1.1" 200 3760 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-content/plugins/CiteThis/CiteThis.css HTTP/1.1" 200 475 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.1.4 HTTP/1.1" 200 22702 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
[snip]

That looks totally normal. I googled and got some pages say someone is hacking your web server or Navy is doing something to your server. That’s really funny. One says port 15871 has security issue. Please! That’s referrer’s port, not the port to be accessed on your server. The words from who knows nothing are pretty dangerous. If someone tries to hack your server, can he be so dumb to leave traces?

These referrers were generated by Websense. A software can block clients to access some pages via its proxy. And my website isn’t blocked by that, because the client GET files successfully.

One Comment

  1. Posted June 8, 2009 at 7:54 pm | Permalink | Reply

    Thanks for the info :). I was also confused by seeing this on my referrers list.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: