I would have to agree here. The only flag that would have been of concern would have been a PUT command, however the line you have shown is normal for a typical web browse. They may have been viewing the site from a MSFT application like Front Page, Word, Excel, etc.. At the same time they apparently copied an image from your site using their program of choice.
---- Charles Jones <
charles.jones@ciscolearning.org> wrote:
> I've seen similar to below when someone embeds a picture in an MS-Word
> or PowerPoint document. I'm not sure how it happens, but sometimes when
> they drag the picture in from a web page, it gets hotlinked to the URL,
> so when someone opens the document, MS-Office fetches the image instead
> of having a static copy of it.
>
> -Charles
> > No - it's an apache server (Linux)
> >
> > access_log looks like
> >
> > IP_ADDRESS - - [05/Feb/2008:17:55:56 -0700] "OPTIONS /mccain.jpg
> > HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider
> > Protocol Discovery"
> > IP_ADDRESS - - [05/Feb/2008:17:55:57 -0700] "GET /mccain.jpg HTTP/1.1"
> > 200 56535 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
> > rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
> >
> > This was the same ip address - just one second apart. I've never seen
> > that before.
> >
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Please visit
http://www.iconnetworksolutions.com
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
%0A>%20>%20>%0A>%20>%20>%20access_log%20looks%20like%0A>%20>%20>%0A>%20>%20>%20IP_ADDRESS%20-%20-%20%5B05/Feb/2008:17:55:56%20-0700%5D%20%22OPTIONS%20/mccain.jpg%0A>%20>%20>%20HTTP/1.1%22%20200%20-%20%22-%22%20%22Microsoft%20Data%20Access%20Internet%20Publishing%20Provider%0A>%20>%20>%20Protocol%20Discovery%22%0A>%20>%20>%20IP_ADDRESS%20-%20-%20%5B05/Feb/2008:17:55:57%20-0700%5D%20%22GET%20/mccain.jpg%20HTTP/1.1%22%0A>%20>%20>%20200%2056535%20%22-%22%20%22Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%205.0;%20en-US;%0A>%20>%20>%20rv:1.8.1.11)%20Gecko/20071127%20Firefox/2.0.0.11%22%0A>%20>%20>%0A>%20>%20>%20This%20was%20the%20same%20ip%20address%20-%20just%20one%20second%20apart.%20I've%20never%20seen%0A>%20>%20>%20that%20before.%0A>%20>%20>%20%20%20%0A>%20>%20%0A>%20>%20---------------------------------------------------%0A>%20>%20PLUG-discuss%20mailing%20list%20-%20PLUG-discuss@lists.plug.phoenix.az.us%0A>%20>%20To%20subscribe,%20unsubscribe,%20or%20to%20change%20your%20mail%20settings:%0A>%20>%20http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss%0A>%20%0A>%20--%0A>%20Please%20visit%0A>%20http://www.iconnetworksolutions.com%0A>%20%0A>%20---------------------------------------------------%0A>%20PLUG-discuss%20mailing%20list%20-%20PLUG-discuss@lists.plug.phoenix.az.us%0A>%20To%20subscribe,%20unsubscribe,%20or%20to%20change%20your%20mail%20settings:%0A>%20http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss%0A>%20%0A>%20 "Reply to this message")
(text/plain)