Someone is hacking me?

http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2416102462
http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=3355631138
http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2952978412
http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=3758293555

How do you think about these referrers? “block” is the keyword to me. I was confused when I saw these referrers in access log. However, I read the whole log, which are related to the client IP of these referrers.

204.117.xxx.xxx - - [07/Dec/2007:00:14:50 -0700] "GET /blog/2007/06/30/team-hoyt-c-a-n/ HTTP/1.1" 200 0 "http://www.google.com/search?q=richard+and+dick+hoyt&hl=en&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:51 -0700] "GET /blog/2007/06/30/team-hoyt-c-a-n/ HTTP/1.1" 200 7774 "http://10.120.1.20:15871/cgi-bin/blockOptions.cgi?ws-session=2416102462" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-content/themes/livibetter/style.css?r=16 HTTP/1.1" 200 6376 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /style.css?r=7 HTTP/1.1" 200 3760 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-content/plugins/CiteThis/CiteThis.css HTTP/1.1" 200 475 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
204.117.xxx.xxx - - [07/Dec/2007:00:14:52 -0700] "GET /blog/wp-includes/js/jquery/jquery.js?ver=1.1.4 HTTP/1.1" 200 22702 "http://www.livibetter.com/blog/2007/06/30/team-hoyt-c-a-n/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
[snip]

That looks totally normal. I googled and got some pages say someone is hacking your web server or Navy is doing something to your server. That’s really funny. One says port 15871 has security issue. Please! That’s referrer’s port, not the port to be accessed on your server. The words from who knows nothing are pretty dangerous. If someone tries to hack your server, can he be so dumb to leave traces?

These referrers were generated by Websense. A software can block clients to access some pages via its proxy. And my website isn’t blocked by that, because the client GET files successfully.

Advertisements

One Comment

  1. Posted June 8, 2009 at 7:54 pm | Permalink

    Thanks for the info :). I was also confused by seeing this on my referrers list.

%d bloggers like this: