Weird Apache Access Logs

apache-2.2 logging

Solution 1:

A search on Google for the filename reveals a few copies of your logfile and just one other hit, which appears to be an upload log from some service. You should be able to tell if that log is related to your site, I am not.

None of those five IP addresses show up in that upload log, so that doesn't tell us much. The filenames in the upload log looks legit to me. Whether the content of those files matches their names is impossible to say, without knowing the contents.

What might originally have been in a file named updatedll.jpg? I am guessing somebody took a screenshot of how to update some dll and uploaded it to a service in order to share it with others. The sharing probably did not happen on a public webforum, because then I would have found more hits for it.

Why does somebody think the file resides on your host? I don't know. I find it useful to include \"%{Host}i\" in the Apache LogFormat.

As for the status code, you can first try to access the filename yourself to see how that looks in the logfile. If you get a different status code, something must be different between your own request for the file and theirs.

If you cannot figure out how to reproduce the exact same status code, then try to produce a packet dump of their traffic. You could use something like tcpdump -pni eth0 -s0 -Uw output.pcap 'host 201.4.132.43 || host 187.40.241.48 || host 186.56.134.132 || host 71.223.252.14 || host 85.245.229.167'

Later you can inspect the output using Wireshark to see exactly what the requests look like. Remember to use an updated version of Wireshark in case somebody is actually trying to exploit a vulnerability in Wireshark. Once you have seen the exact request, you should be able to reproduce the reply through a telnet command.

Solution 2:

Are you redirecting based on domain name? Eg from example.com to www.example.com? That might explain the 301 response.

If your server is responding with a 301, it's likely this isn't doing much harm. However some page somewhere probably has a broken image link on it. To track that down you should look at the Referer header in the incoming requests. You could log Referers from your web server, but it's probably easier to look at the traffic directly.

Rather than tcpdump, (Which kasperd suggested) I'd use ngrep:

ngrep 'GET /updatedll.jpg' port 80

Related

Make kernel modules available that have been deactivated on Fedora
Linux NFLOG - documentation, configuration from C
set-header for HAProxy responses
Directory for PHP 5 FPM socket files is deleted after reboot on Ubuntu Server
Logins take a long time
Cloning a bitlocker encrypted disk
HAproxy 1.5 Trusted CAs
Slow logon via Remote Desktop to Server 2012 and Smart Card service errors
Where does a Domain Controller's Local Security Policy come from?
Allow users to install certificates in their home directory?
Getting "Too many redirects" error with nginx rewrite rule
Is DFSR designed for use for Disaster Recovery?