In the httpd access_log for a particular Wordpress site, I noticed this:
Code: Select all
92.63.87.10 - - [27/Jan/2015:16:06:19 +0000] "GET / HTTP/1.1" 301 279 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php"
"Mozilla/5.0 (Macintosh;Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"
92.63.87.10 - - [27/Jan/2015:16:06:28 +0000] "GET / HTTP/1.1" 200 64025 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"
What's confusing me is that the domain shown in the log entry is not hosted on the server in question.
And what seems to be happening is a 301 redirect followed by a 200 OK with a significant amount of data.
I seem to recall that when there's a GET with a different domain in a log, it is usually an attempt at using the server as a proxy, which invariably fails on a plesk box, if I recall correctly.
But given that a chunk of data seemed to be transferred, something different seems to be happening here and I'm afraid I can't work it out.
Can someone shed some light please?