I had a person send a "Contact Us" email saying he can't register. He gets an error saying "Cannot register user". I tried to register and everything worked fine. I looked up the persons IP in the "Raw Access Logs" from my control panel. The "Contact Us" email showed me his IP address. Here is what the Raw Access Logs show for his IP 66.81.191.126:
66.81.191.126 - - [25/Dec/2006:00:00:51 -0800] "OPTIONS /modules/weblog0/ HTTP/1.1" 200 19405 "-" "Microsoft Office Protocol Discovery"
66.81.191.126 - - [25/Dec/2006:00:00:53 -0800] "OPTIONS / HTTP/1.1" 200 14337 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
66.81.191.126 - - [25/Dec/2006:00:00:55 -0800] "OPTIONS /modules/weblog0/details.php?blog_id=69 HTTP/1.1" 200 14153 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
209.179.168.53 - - [25/Dec/2006:00:00:55 -0800] "GET /_vti_inf.html HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MS FrontPage 6.0)"
66.81.191.126 - - [25/Dec/2006:00:00:57 -0800] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 240 "-" "MSFrontPage/6.0"
66.81.191.126 - - [25/Dec/2006:00:00:58 -0800] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 175 "-" "MSFrontPage/6.0"
66.81.191.126 - - [25/Dec/2006:00:00:59 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
66.81.191.126 -
?????@peoplepc.com [25/Dec/2006:00:01:56 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
66.249.65.243 - - [25/Dec/2006:00:02:17 -0800] "GET /user.php?xoops_redirect=/modules/newbb/viewtopic.php?post_id=5475 HTTP/1.1" 200 3691 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.81.191.126 -
?????@peoplepc.com [25/Dec/2006:00:02:19 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
209.179.168.53 - - [25/Dec/2006:00:02:20 -0800] "GET /modules/weblog0/details.php?blog_id=69 HTTP/1.1" 200 11664 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; PeoplePal 3.0)"
74.6.67.149 - - [25/Dec/2006:00:02:42 -0800] "GET /modules/newbb/report.php?forum=1&topic_id=398&viewmode=flat&order=ASC&post_id=2677 HTTP/1.0" 200 4229 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/help/us/ysearch/slurp)"
66.81.191.126 - - [25/Dec/2006:00:03:13 -0800] "OPTIONS / HTTP/1.1" 200 14337 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
66.81.191.126 - - [25/Dec/2006:00:03:15 -0800] "OPTIONS /modules/weblog0 HTTP/1.1" 301 264 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
66.81.191.126 - - [25/Dec/2006:00:03:20 -0800] "OPTIONS /modules/weblog0/ HTTP/1.1" 200 23355 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
66.81.191.126 - - [25/Dec/2006:00:03:21 -0800] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 163 "-" "MSFrontPage/6.0"
66.81.191.126 - - [25/Dec/2006:00:03:22 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
66.81.191.126 -
?????@peoplepc.com [25/Dec/2006:00:03:22 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
66.249.65.243 - - [25/Dec/2006:00:03:26 -0800] "GET /user.php?xoops_redirect=/modules/newbb/viewtopic.php?post_id=5396 HTTP/1.1" 200 3688 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
65.214.44.29 - - [25/Dec/2006:00:03:38 -0800] "GET /modules/newbb/rss.php?f=4 HTTP/1.1" 200 1779 "-" "Bloglines/3.1 (http://www.bloglines.com; 1 subscriber)"
65.214.44.29 - - [25/Dec/2006:00:03:38 -0800] "GET /modules/newbb/rss.php?f=15 HTTP/1.1" 200 5 "-" "Bloglines/3.1 (http://www.bloglines.com; 1 subscriber)"
65.214.44.29 - - [25/Dec/2006:00:03:38 -0800] "GET /modules/newbb/rss.php?f=3 HTTP/1.1" 200 1796 "-" "Bloglines/3.1 (http://www.bloglines.com; 1 subscriber)"
66.81.191.126 -
?????@peoplepc.com [25/Dec/2006:00:03:39 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
66.81.191.126 -
?????@peoplepc.com [25/Dec/2006:00:03:48 -0800] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 5 "-" "MSFrontPage/6.0"
This looks very strange. I don't see where he tried to register. Does anyone know what this means: "POST /_vti_bin/_vti_aut/author.exe. Is this some sort of hack attempt or something?
Thanks,
Buddy