I have found some pretty strange things in my server logs lately.  Below, I'll describe a series of requests that looked like something/someone was probing and looking for vulnerabilities on my site.  Not that there's anything here worth stealing.  More likely, they were looking for a machine they could hijack for whatever nefarious purpose.  I'm posting this in case someone knows what these folks are up to and how webmasters can guard against whatever it is.

First, a little background.  I have been paying closer attention to my web server logs the last couple of months. After re-building the back-end of DavesWeb.com (and removing some older content in the process), I was particularly curious if there were still requests for some of these older items. If people were still interested, I'd want to make sure that document is still online at the same Url. Currently, have have some 75 old Urls mapped to their new location so surfers can follow old links and still find what they're looking for.

But if you request an Url that is broken on this site, and it's not on my list of relocated content, your request is logged and once in a few days I'll look to see if I can restore what you're looking for.  In these logs I found several very freaky things.

I found pages where not only does the requested page not exist, but the page that supposedly referred or linked them to the requested page is a page on DavesWeb.com that no longer exists.  When it was online, the voting ballot was on vote.asp, and the form was posted to vote.asp (the same page which served up the voting form if it was a GET request and processed that vote if it was a POST request).  Here is the first entry: 

REQUESTED: /vote/submit.asp, REFERER: http://www.davesweb.com/Vote/Submit.asp, REMOTE_HOST: 117.241.202.208, HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20020923 Phoenix/0.1

The web site visitor was requesting the file /vote/submit.asp, which no longer exists.  But the REFERER IS THE SAME PAGE (and hasn't existed, either for several years!)  How can a page that no longer exists be a hyperlink to anything?   

It seems like the only this could happen is if the web surver is using software that is faking info about itself and its request.  Someone is up to no good!

So I looked further into the logs and was even more surprised to find three more requests all within a few seconds of each other and also referred by this non-existent page!  And get this:  each request appears to have come from not only different computers, but different computers in vastly different corners of the world!  (Or possibly these requests were made to LOOK like they came from different parts of the world.)