10

This entry got logged in a Apache access log:

IP ADDRESS - - [00/00/0000:00:00:00 -0000] " " 301 - "-" "-"

It was detected by LogWatch as a null HTTP Response and also got marked as a successful probe..

I am curious about how this request about made and how it is considered a successful probe. Here is what I can decipher with specific questions:

  1. Their request was " " - what does this mean?
  2. HTTP return code was 301: this website has a redirect defined in the Apache config - perhaps they were hitting the URL which triggers this redirect?
  3. They were not using a proper HTTP request
  4. They got "-" size return back - what does this mean?
elle
  • 113
  • 1
  • 6

1 Answers1

8

It was an empty request.

  1. %r is actually the first line of their request, which means they sent an empty request. In other words, no headers, no body, nothing. It was likely a socket connection to port 80.
  2. The 301 was likely not to the website--remember, they have nothing defined in their request, including the desired file on your web site.
  3. Exactly.
  4. - means that no data was returned to the client, not to be confused with a size of zero.

In other words, this was probably somebody opening and closing a connection against port 80, without sending or receiving any data.

Andrew M.
  • 10,982
  • 2
  • 34
  • 29
  • I would like to try and reproduce this error - is this entry. Any suggestions/ideas on how it can be done? Perhaps telnet? HTTP 301 throws me off - how and where is this being set?? – elle May 04 '12 at 18:31
  • 1
    You could probably do this by sending the same data the user sent--that is, ` ` (space, by the looks of it). Although when doing this, you SHOULD receive a `501` error, not a `301`--although your server may be configured differently. You can do this by doing something like: `echo " " | nc http://whatever 80`. – Andrew M. May 04 '12 at 18:47
  • One caveat here is that you can't forbid `nc` (or even `ncat`) from reading the response, so you WILL get a size for the returned value. You can likely write your own script that forcibly closes the connection after sending, but you'll need to do some footwork yourself. – Andrew M. May 04 '12 at 19:05