Thanks @Adam, I will research some more on that. I wonder how nginx performs with PHP... My previous foray into Apache vs. Nginx for PHP ended up with the conclusion that Nginx performs much better than Apache for static content, but for dynamic content, the difference is not that much (although Nginx is still marginally faster). @Adam, what has been your experience on this? Although I am pretty sure you don't use PHP :-) On Mon, Nov 11, 2013 at 11:41 AM, Adam Nelson <adam@varud.com> wrote:
It sounds like you're doing reverse DNS lookup on hosts hitting the Apache server. This is bad and you shouldn't do it.
I wouldn't worry so much about bots and attackers - they're part of the landscape and unaviodable.
I would also move to Nginx :-P
-- Kili.io - OpenStack for Africa: kili.io Musings: twitter.com/varud <https://twitter.com/varud> About Adam: www.linkedin.com/in/adamcnelson
On Mon, Nov 11, 2013 at 8:32 AM, Peter Karunyu <pkarunyu@gmail.com> wrote:
Good morning people, I am looking at the Apache access from an online server hosting one of my apps and I am noting some interesting entries, some I have never seen before, something like this:
A normal user legit-ip-here - - [08/Nov/2013:06:15:14 -0800] "GET /index.php/auth/login HTTP/1.1" 200 6360 "http://www.myaddress.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"
A normal bot 101.226.68.137 - - [08/Nov/2013:04:02:16 -0800] "HEAD / HTTP/1.1" 302 - "-" "DNSPod-Monitor/1.0"
A weird bot crawl-66-249-66-27.googlebot.com - - [08/Nov/2013:13:06:43 -0800] "GET /robots.txt HTTP/1.1" 200 46 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; + http://www.google.com/bot.html)"
A normal malicious access (malicious because they are accessing stuff I don't have on that server) 114.221.91.40 - - [08/Nov/2013:07:10:22 -0800] "GET /.7qcjnc/km-qcjnc.mp3 HTTP/1.1" 404 2677 "http://www.wang-nan.cn/" "Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
A weird malicious access h18811653206.rev.rootvps.pl - - [09/Nov/2013:01:02:11 -0800] "GET /video.php?vid=38932 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
static.focured.net - - [09/Nov/2013:01:04:44 -0800] "GET / HTTP/1.1" 302 20 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)"
poczta.chmuri.net - - [09/Nov/2013:01:04:22 -0800] "GET /video.php?vid=38929 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
Now, its the "weird malicious attacks" that have me piqued. Instead of having an IP address in the first column, they have some sort of domain name.
Has anyone encountered this before?
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards, Peter Karunyu -------------------