It sounds like you're doing reverse DNS lookup on hosts hitting the Apache server.  This is bad and you shouldn't do it.

I wouldn't worry so much about bots and attackers - they're part of the landscape and unaviodable.

I would also move to Nginx :-P

--
Kili.io - OpenStack for Africa: kili.io
Musings: twitter.com/varud
About Adam: www.linkedin.com/in/adamcnelson


On Mon, Nov 11, 2013 at 8:32 AM, Peter Karunyu <pkarunyu@gmail.com> wrote:
Good morning people,
I am looking at the Apache access from an online server hosting one of my apps and I am noting some interesting entries, some I have never seen before, something like this:

A normal user
legit-ip-here - - [08/Nov/2013:06:15:14 -0800] "GET /index.php/auth/login HTTP/1.1" 200 6360 "http://www.myaddress.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"

A normal bot
101.226.68.137 - - [08/Nov/2013:04:02:16 -0800] "HEAD / HTTP/1.1" 302 - "-" "DNSPod-Monitor/1.0"

A weird bot 
crawl-66-249-66-27.googlebot.com - - [08/Nov/2013:13:06:43 -0800] "GET /robots.txt HTTP/1.1" 200 46 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

A normal malicious access (malicious because they are accessing stuff I don't have on that server)
114.221.91.40 - - [08/Nov/2013:07:10:22 -0800] "GET /.7qcjnc/km-qcjnc.mp3 HTTP/1.1" 404 2677 "http://www.wang-nan.cn/" "Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"

A weird malicious access
h18811653206.rev.rootvps.pl - - [09/Nov/2013:01:02:11 -0800] "GET /video.php?vid=38932 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"

static.focured.net - - [09/Nov/2013:01:04:44 -0800] "GET / HTTP/1.1" 302 20 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)"

poczta.chmuri.net - - [09/Nov/2013:01:04:22 -0800] "GET /video.php?vid=38929 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"

Now, its the "weird malicious attacks" that have me piqued. Instead of having an IP address in the first column, they have some sort of domain name.

Has anyone encountered this before?


_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke