Really not sure where to post this.

These errors are created by a real user visiting my site.

For every page they access they create at least two 404 error codes. Here is an example. I hate all those unnecessary 404 errors.

152.11.237.110 - - [01/Aug/2007:14:31:27 -0400] "GET /kitchen-measurement.htm HTTP/1.1" 200 7723 "http://search.yahoo.com/search?p=kitchen+mesasurements&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
152.11.237.110 - - [01/Aug/2007:14:31:31 -0400] "GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 4481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
152.11.237.110 - - [01/Aug/2007:14:31:31 -0400] "GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 4481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"

I realize these seem to be the result of some MS software they are using.

Not sure what you mean. I searched for the term in Yahoo and your page came up on the first page. The page shows a 200 okay status.

The IPs you show are all the same. Maybe the user found your chart via yahoo and then are trying to download the page into their MS Office application for viewing at anytime. Do you see?

There is really nothing you can do about the other 404's. All you can do is make sure the page is up and online, which is all you can control.

Offer the chart as some sort of downloadable file.

It has nothing to do do what what a user sees. They will see the page requested. They get a 200 code. Some IE browsers look for additional files, and 404 errors are recorded in my logs.

The 3 results from the same user is from my error logs when the user requested one page. The page they requested shows the 200 response. Then there are request for two additional files that are MS specific.

This one user looked at 5 or 6 pages on my site. For each page request they got the valid page, but created two 404 errors in my logs.

I get hundreds of these errors every month.

It has something to do with InfoPath.1 which seems to be an IE add on.

Here are some Google results for InfoPath (http://www.google.com/search?hl=en&q=InfoPath&btnG=Search)

Search your log files for InfoPath. I bet everyone has a few errors like this show up.

No, but it doesn't look like it's a bad thing. I thought it was FP extensions, but apparently I'm wrong.

http://www.michaelteper.com/archive/2005/11/02/4276.aspx

I'm not saying it's bad, other than the fact it will fill your raw logs files with 404 errors with each valid request.

Since I occasionally search my raw logs for 404 errors, it is a pain in the but wading through these to get to the real errors.

Connie, those "404 errors" are because it's a hacker looking for a backdoor into your server to load a worm, virus, trojan, or DOS attack.

GET /_vti_bin/owssvr.dll
/MSOffice/cltreq.asp?

Are two things the hackers are looking for. Since obviously neither one exists on your server, they're fishing for nothing.

I see things like this, and others, in my logs all the time. It's some dumb hacker hoping to get lucky.

The hacker is under the impression that your server is an NT server Vs UNIX (which is why the hacker is looking for MS files to exploit).

I wish ArmenT were around because he explains this a lot better than I do (or can).

I don't think it's actually a hacker in this case, Deb...unless the hacker is masking an IE user agent and being very clever about it.

Connie mentioned that this happens every time a page is visited. Hackers usually go the brute force route and don't visit pages, and quite often do it in bunches (I had a guy "acting on behalf of a major Canadian bank" attempt to hack my server 1200 times in the space of 13 seconds two years ago.) It could be a stupid kiddie hacker without a clue, but it's unlikely.

The explanation in the link I posted above makes more sense.

Could be, Adam. :) (I didn't look at your link yet).

I've seen agent strings on my server though that are along the lines of what Connie posted, but it's a hacker (on my server) looking for a way in.

I see a lot of the "listen ..." trails too but they never get anywhere with it because we have a lot of security things installed on the server. Doesn't stop them from "trying" though.

Deb like Adam I don't think this is a hacker. I verified they were an actual visitor. I don't think a hacker would record a actual visit with a stats program that uses javascript.

This particular visitor viewed about 5 pages. However, each page view creates the 404 error pages at the same time they got a successful page view. It is something that some IE browsers are doing in the background.

I think it comes mostly from Corporate users. I get a lot of people shopping from their job.

It appears the browser is looking for something to do with xml and forms in the background.

At least that is what I understand from a lot of references I have read.

I use to think this had to do with FP extensions, or a hacker, but in those cases there is no actual visitor.

With it being a corporate IP, it will be a visitor with the "Web discussion" toolbar installed, the toolbar is part of the SharePoint collaboration tools so is perfectly legit.

There was a cross-site scripting vunerability announced (and eventually fixed) for SharePoint services.

http://www.microsoft.com/technet/security/bulletin/ms05-006.mspx

but the access footprint would be very different if it were a cracking attack.