Status code

From my access log....
cpe-24-59-251-3.twcny.res.rr.com - - [28/Jul/2007:20:29:08 -0400] "GET / HTTP/1.0" 200 4969
What does the second number (4969) represent?
I am getting hammered by what I *think* are spambots so I've been
keeping an eye on my access log; something I've never really done
before.
I also see 866 and 97 a lot.
I have svservers.com and keymachine.de blocked in .htaccess but of
course that doesn't keep them from showing up in the log.
For instance, most of the keymachine entries now are...
ns.km23544.keymachine.de - - [28/Jul/2007:21:12:43 -0400] "GET / HTTP/1.0" 403 277
I understand the 403, but not the 277
This evening I'm seeing...
ns.km22226-04.keymachine.de - - [28/Jul/2007:21:58:54 -0400] "GET / HTTP/1.0" 200 4969
The 200 tells me they're getting through again. I think... :-)

I started running running Apache 1.3.12 under Windows 98 almost 5 years
ago. I switched to XP a couple of years later. I've had practically no
problems whatsoever. Which leaves me pretty much a newbie since I never
had to learn anything except how to get it going.

I'm still not having *problems*, per se, but over the past few weeks my
accesses have more than doubled, and most of it seems to be coming
from garbage origins.

I'm just trying to learn how to understand my log a little better.

Thanks.

--
©I don't have a solution but I admire the problem.

Re: Status code

Fulla Baloney wrote in
news:Xns997C1041EEBEonceuponatime@wefb973cbe498:

> From my access log....
> cpe-24-59-251-3.twcny.res.rr.com - - [28/Jul/2007:20:29:08 -0400] "GET
> / HTTP/1.0" 200 4969 What does the second number (4969) represent?
> I am getting hammered by what I *think* are spambots so I've been
> keeping an eye on my access log; something I've never really done
> before.
> I also see 866 and 97 a lot.
> I have svservers.com and keymachine.de blocked in .htaccess but of
> course that doesn't keep them from showing up in the log.
> For instance, most of the keymachine entries now are...
> ns.km23544.keymachine.de - - [28/Jul/2007:21:12:43 -0400] "GET /
> HTTP/1.0" 403 277 I understand the 403, but not the 277
> This evening I'm seeing...
> ns.km22226-04.keymachine.de - - [28/Jul/2007:21:58:54 -0400] "GET /
> HTTP/1.0" 200 4969 The 200 tells me they're getting through again. I
> think... :-)
>
> I started running running Apache 1.3.12 under Windows 98 almost 5
> years ago. I switched to XP a couple of years later. I've had
> practically no problems whatsoever. Which leaves me pretty much a
> newbie since I never had to learn anything except how to get it going.
>
> I'm still not having *problems*, per se, but over the past few weeks
> my accesses have more than doubled, and most of it seems to be coming
> from garbage origins.
>
> I'm just trying to learn how to understand my log a little better.

OK. I found the documentation for that last field. Bytes transferred.
I still can't figure out how the blocked servers sneaked through but it
isn't a major concern.



--
©I don't have a solution but I admire the problem.

Re: Status code

On Jul 29, 8:44 am, Fulla Baloney wrote:
> Fulla Baloney wrote innews:Xns997C1041EEBEonceupo=
natime@wefb973cbe498:
>
>
>
> > From my access log....
> > cpe-24-59-251-3.twcny.res.rr.com - - [28/Jul/2007:20:29:08 -0400] "GET
> > / HTTP/1.0" 200 4969 What does the second number (4969) represent?
> > I am getting hammered by what I *think* are spambots so I've been
> > keeping an eye on my access log; something I've never really done
> > before.
> > I also see 866 and 97 a lot.
> > I have svservers.com and keymachine.de blocked in .htaccess but of
> > course that doesn't keep them from showing up in the log.
> > For instance, most of the keymachine entries now are...
> > ns.km23544.keymachine.de - - [28/Jul/2007:21:12:43 -0400] "GET /
> > HTTP/1.0" 403 277 I understand the 403, but not the 277
> > This evening I'm seeing...
> > ns.km22226-04.keymachine.de - - [28/Jul/2007:21:58:54 -0400] "GET /
> > HTTP/1.0" 200 4969 The 200 tells me they're getting through again. I
> > think... :-)
>
> > I started running running Apache 1.3.12 under Windows 98 almost 5
> > years ago. I switched to XP a couple of years later. I've had
> > practically no problems whatsoever. Which leaves me pretty much a
> > newbie since I never had to learn anything except how to get it going.
>
> > I'm still not having *problems*, per se, but over the past few weeks
> > my accesses have more than doubled, and most of it seems to be coming
> > from garbage origins.
>
> > I'm just trying to learn how to understand my log a little better.
>
> OK. I found the documentation for that last field. Bytes transferred.
> I still can't figure out how the blocked servers sneaked through but it
> isn't a major concern.
>
> --
> =A9I don't have a solution but I admire the problem.

you might find blocking by IP range an easier solution, and when your
server sends a 403 it has to send a small amount of html "Not
Allowed...." this is where the 277 is coming from in the bytes
transferred column.
You could also head over to apachelounge.de and grab mod_security2 and
some rules from the cool rules project, with that lot you can deny by
type of request, such as HTTP/1.0 (you can do this using rewrites and
in other ways as well, but mod_sec is great place to stick this kind
of rule) you will then pretty much stop all this stuff. HTTP/1.0 is
only used by legacy user agents which dont send a
host: example.com
header, so you can safely discard those requests unless you have some
kind of automated program which you use to make requests to your
server for backup or something like that.