On 24.2.2012 10:17, Jussi Hirvi wrote: > On 24.2.2012 10.27, John R Pierce wrote: >> On 02/24/12 12:10 AM, Jussi Hirvi wrote: >>> ...when the DNS shows that the domain financeande.com is hosted >>> elsewhere? What kind of query can they have used? >> >> a forged one with a bogus vhost. > > I get almost similar entry, if I hit this on the browser: > > http://www.my_real_domain.com/http://bogus.com > > It shows like this in the log: > > > (...) - - [24/Feb/2012:11:12:27 +0200] "GET /http://bogus.com > HTTP/1.1" 404 292 "-" (...) > > Only here it starts with a slash (/http...), but in the original log > entry there was no slash. I'm still curious to know how this log entry > was born: > > > "GET http://financeande.com/feed/feed.php HTTP/1.1" 404 291 (...) > > - Jussi It was a check for proxy. you can try something like this: $ telnet www.my_real_domain.com 80 Trying ... Connected to www.my_real_domain.com. Escape character is '^]'. GET http://financeande.com/feed/feed.php HTTP/1.1 host: www.my_real_domain.com [double enter] -- Kind Regards, Markus Falb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120224/d6b033c3/attachment-0005.sig>