Empty/Null Apache request entries in access log
5,341
It was an empty request.
-
%r
is actually the first line of their request, which means they sent an empty request. In other words, no headers, no body, nothing. It was likely a socket connection to port 80. - The 301 was likely not to the website--remember, they have nothing defined in their request, including the desired file on your web site.
- Exactly.
-
-
means that no data was returned to the client, not to be confused with a size of zero.
In other words, this was probably somebody opening and closing a connection against port 80, without sending or receiving any data.
Related videos on Youtube
Author by
elle
Updated on September 18, 2022Comments
-
elle over 1 year
This entry got logged in a Apache access log:
IP ADDRESS - - [00/00/0000:00:00:00 -0000] " " 301 - "-" "-"
It was detected by LogWatch as a null HTTP Response and also got marked as a successful probe..
I am curious about how this request about made and how it is considered a successful probe. Here is what I can decipher with specific questions:
- Their request was " " - what does this mean?
- HTTP return code was 301: this website has a redirect defined in the Apache config - perhaps they were hitting the URL which triggers this redirect?
- They were not using a proper HTTP request
- They got "-" size return back - what does this mean?
-
elle about 12 yearsI would like to try and reproduce this error - is this entry. Any suggestions/ideas on how it can be done? Perhaps telnet? HTTP 301 throws me off - how and where is this being set??
-
Andrew M. about 12 yearsYou could probably do this by sending the same data the user sent--that is, ` ` (space, by the looks of it). Although when doing this, you SHOULD receive a
501
error, not a301
--although your server may be configured differently. You can do this by doing something like:echo " " | nc http://whatever 80
. -
Andrew M. about 12 yearsOne caveat here is that you can't forbid
nc
(or evenncat
) from reading the response, so you WILL get a size for the returned value. You can likely write your own script that forcibly closes the connection after sending, but you'll need to do some footwork yourself.