-1

I got a bunch of these in my web server log. I'm only allowed to post one link, but besides 995 I got similar entries for 110 and 143. Basically email ports. The link is exact except where I replaced my IP address with the phrase "MYIPADDRESS". So is this some sort of google dorking search? The IP does go back to Google.

444 64.9.240.132 - - [12/Mar/2017:00:35:40 +0000] "GET /:995 HTTP/1.1" 0 "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CFwQFjAB&url=http%3A%2F%2FMYIPADDRESS%2F%3A995&ei=25fEWPuSIsTQoQf4aw&usg=AFQjCNFijmuDxz260-T2ocf_40a80HUhag" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" "-"

gariac
  • 46
  • 1
  • 8
  • 2
    Those are not requests to email ports. They are requests to your web server, which happen to have certain numbers in them. – Michael Hampton Mar 12 '17 at 01:29
  • And these requests are most likely caused by some links pointing to your address that look like `http://example.com/:995` or maybe `example.com/:995`. – Tero Kilkanen Mar 12 '17 at 12:35

1 Answers1

0

Try visiting the link in the log message. It indicates someone is attempting to connect to "http://myipaddress/:995". Do you have links that have paths like :995, :110 and :143? This may be a malformed REST response.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • I run my own email server and have no browser interface at all. Not even for administration. I do everything old school. The weird thing is the traffic from google servers, which is why I think I'm being dorked. – gariac Mar 14 '17 at 05:56