Something strange in access_log

[m1ne]

Hey all.

Just looking through access_log and I see something strange,

1.1.1.1 - - [13/Mar/2016:04:05:50 -0500] "GET /jscripts/anon.js HTTP/1.0" 301 468 "http://domain.com/" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; SCH-R970 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.8.8.730 U3/0.8.0 Mobile Safari/534.30"

"domain.com" is not my domain. Any idea what this is?

Thanks.

 

[Mike]

Isn't that position in the log the referrer?

 

[m1ne]

I think so.
This would be domain.com requesting /jscripts/anon.js from me, or my site requesting /jscripts/anon.js from domain.com?

 

[TPerry]

have you forwarded any domains that may have been serving a different software to your current domain (like an old WordPress domain or similar)?
Typically your "domain.com" is the requesting site that was asking for that JS file.
It could also be someone that has redirected one of their domains to your IP/domain that had software that was used that file and a bot is looking for it.

 

[m1ne]

No, nothing like that.

 

[Mike]

Based on it being an HTTP 1.0 request (and without seeing the IP), it looks to me like it could be a bot, and thus possibly just something to ignore.

 

[m1ne]

The domain is a MyBB forum, which looks like an exact clone of my forum when it was MyBB.

 

[TPerry]

Have you checked to see if the domain is resolving to your server IP?
Did you have a co-admin by chance that grabbed the old forum DB/structure and then erected their own?
If you are not comfortable with checking, send me the domain and your current IP in a convo and I can check on it when I get a chance.

 

[m1ne]

It doesn't look like it is, no.
Here's the full entry,

141.101.99.78 - - [14/Mar/2016:18:20:45 -0500] "GET /jscripts/anon.js HTTP/1.0" 301 468 "http://beastfeeds.net/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36"

I see this now actually in the source of beastfeeds.net

<script type="text/javascript" src="http://wweforums.net/jscripts/anon.js"></script>

that explains it, they've ripped the old theme and didn't notice that I guess.

 

[TPerry]

That's kind of what I was thinking.. you wanna really mess with them.. create a new .js that pulls a popup on their site that tells everyone that they are style thieves.
What they are basically doing is stealing bandwidth from you.

 

[m1ne]

I was thinking what evil deeds I could do.
The site is completely dead, but the admin still visits every now and then it seems.

 

[m1ne]

I'm actually gonna redirect their site to mine.