Page 1 of 1

Hilarious: Log analysis

PostPosted: Mon Dec 07, 2015 7:52 pm
by Zancarius
I mentioned in a previous post that we don't store access logs. That's not entirely true. During the transition to Linux containers, I had the access log enabled to determine what problems may have cropped up and to get a feel for the state of the server configuration. We've also been considering enabling TLS support (via Let's Encrypt) which will probably be coming sometime in the future and we may utilize a few methods (including the access log) to determine what browsers commonly access the goon sites.

Brief aside: The reason this is important is because older user agents (that is, browsers) don't support SNI, and the goon sites are currently on a shared IP address. Once we move them back to Josh's box, that much won't change: All goon sites will be sharing an IP address with Josh's other sites. SNI allows you to do this, but when SSL was originally devised, no one really considered multiple host names as a possibility on a single IP address. (SNI actually accomplishes this in certificates by abusing the subjectAltName.) The good news is that nearly all modern browsers support this feature. The bad news is that there are some fairly recent browsers (Android 2.x) that do not support SNI, and Windows XP's SSL/TLS library doesn't either--nor will it ever. Thus, any version of MSIE running on XP will never be capable of using SNI. Go figure.

So... enough of that.

I was digging around for some older browsers hitting us in the logs and stumbled on this entry:

105.158.[redacted] - - [01/Dec/2015:11:34:00 -0700] "GET /general-chat/hot-elephant-porn-t1100.html HTTP/1.1" 200 6858 "-" "Mozilla/5.0 (Linux; U; Android 2.2.1; fr-fr; GT-I9000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Which leads to this post.

The IP address resolves to a registrar in Madagascar.

Consider this for a moment: Someone, probably a lonely someone, somewhere (likely in Madagascar) opened their Android 2.2 device late one December evening, went to a search engine, and typed in "hot elephant porn."

Then they came here.

I can't help but wonder if they were disappointed.

There are a few things we can tell about the request. First, it's an older Android device. Second, it's localized to French. There's no referrer, so it's either not configured to send the referrer header (likely) or the link was bookmarked (doubtful, although that possibility is worrisome). The referrer wouldn't matter anyway: Most search engines sanitize the header through a series of redirects so it's impossible to tell what search keywords lead to which pages (ask me how I know).

Also, judging by the remaining requests in the logs, he waited for 2 or more painful seconds to finish loading the most disappointing picture of his life.

He never returned again that night.