Curios log files

Tracy Perry

Well-known member
Before I go digging WAY into Google I figured some folks here would be up to date on what this may be (look almost like trying a buffer overflow?).
Found TONS of these in my nginx access log file - all from the same IP (Hetzner Online AG).

Code:
78.46.33.198 - - [14/Aug/2013:14:27:33 -0500] "GET /misc/style?redirect=%2Fmisc%2Fstyle%3Fredirect%3D%252Fmisc%252Fstyle%253Fredirect%253D%25252Fmisc%25252Fstyle%25253Fredirect%25253D%2525252Fmisc%2525252Fstyle%2525253Fredirect%2525253D%252525252Fmisc%252525252Fstyle%252525253Fredirect%252525253D%25252525252Fmisc%25252525252Fstyle%25252525253Fredirect%25252525253D%2525252525252Fmisc%2525252525252Fstyle%2525252525253Fredirect%2525252525253D%252525252525252Fmisc%252525252525252Fstyle%252525252525253Fredirect%252525252525253D%25252525252525252Fmisc%25252525252525252Fstyle%25252525252525253Fredirect%25252525252525253D%2525252525252525252Fmisc%2525252525252525252Fstyle%2525252525252525253Fredirect%2525252525252525253D%252525252525252525252Fmisc%252525252525252525252Fstyle%252525252525252525253Fredirect%252525252525252525253D%25252525252525252525252Fforums%25252525252525252525252Fother-dyna-models.223%25252525252525252525252F%25252525252525252525253Forder%25252525252525252525253Dview_count&style_id=12 HTTP/1.0" 400 650 "http://twowheeldemon.com/misc/style?redirect=%2Fmisc%2Fstyle%3Fredirect%3D%252Fmisc%252Fstyle%253Fredirect%253D%25252Fmisc%25252Fstyle%25253Fredirect%25253D%2525252Fmisc%2525252Fstyle%2525253Fredirect%2525253D%252525252Fmisc%252525252Fstyle%252525253Fredirect%252525253D%25252525252Fmisc%25252525252Fstyle%25252525253Fredirect%25252525253D%2525252525252Fmisc%2525252525252Fstyle%2525252525253Fredirect%2525252525253D%252525252525252Fmisc%252525252525252Fstyle%252525252525253Fredirect%252525252525253D%25252525252525252Fmisc%25252525252525252Fstyle%25252525252525253Fredirect%25252525252525253D%2525252525252525252Fmisc%2525252525252525252Fstyle%2525252525252525253Fredirect%2525252525252525253D%252525252525252525252Fmisc%252525252525252525252Fstyle%252525252525252525253Fredirect%252525252525252525253D%25252525252525252525252Fforums%25252525252525252525252Fother-dyna-models.223%25252525252525252525252F%25252525252525252525253Forder%25252525252525252525253Dview_count" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36"
 

Jeremy

Well-known member
Its recursively setting a redirect back to itself. I'm not sure how its receiving that redirect tho.
 

Tracy Perry

Well-known member

Tracy Perry

Well-known member

Tracy Perry

Well-known member
I have no entries like that in my logs.
And neither does my two other forums running on another server with the same setup. That's why I was curios. Beginning to think it's some kinda screwy bot of some type. Not that worried about it really as all it does is add some extra bytes to the log file.
Found this when Googling the IP: https://www.projecthoneypot.org/ip_78.46.33.198
So it looks more and more like some kinda screwed up BOT.
 
Last edited:
Top