Thanks @Adam, I will research some more on that.I wonder how nginx performs with PHP... My previous foray into Apache vs. Nginx for PHP ended up with the conclusion that Nginx performs much better than Apache for static content, but for dynamic content, the difference is not that much (although Nginx is still marginally faster).@Adam, what has been your experience on this? Although I am pretty sure you don't use PHP :-)On Mon, Nov 11, 2013 at 11:41 AM, Adam Nelson <adam@varud.com> wrote:
It sounds like you're doing reverse DNS lookup on hosts hitting the Apache server. This is bad and you shouldn't do it.I wouldn't worry so much about bots and attackers - they're part of the landscape and unaviodable.I would also move to Nginx :-P--Kili.io - OpenStack for Africa: kili.ioMusings: twitter.com/varudAbout Adam: www.linkedin.com/in/adamcnelson
On Mon, Nov 11, 2013 at 8:32 AM, Peter Karunyu <pkarunyu@gmail.com> wrote:_______________________________________________Good morning people,I am looking at the Apache access from an online server hosting one of my apps and I am noting some interesting entries, some I have never seen before, something like this:A normal userlegit-ip-here - - [08/Nov/2013:06:15:14 -0800] "GET /index.php/auth/login HTTP/1.1" 200 6360 "http://www.myaddress.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"
A normal bot101.226.68.137 - - [08/Nov/2013:04:02:16 -0800] "HEAD / HTTP/1.1" 302 - "-" "DNSPod-Monitor/1.0"A weird botcrawl-66-249-66-27.googlebot.com - - [08/Nov/2013:13:06:43 -0800] "GET /robots.txt HTTP/1.1" 200 46 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
A normal malicious access (malicious because they are accessing stuff I don't have on that server)114.221.91.40 - - [08/Nov/2013:07:10:22 -0800] "GET /.7qcjnc/km-qcjnc.mp3 HTTP/1.1" 404 2677 "http://www.wang-nan.cn/" "Mozilla/4.0 (compatible; MSIE 9.10; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
A weird malicious accessh18811653206.rev.rootvps.pl - - [09/Nov/2013:01:02:11 -0800] "GET /video.php?vid=38932 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
static.focured.net - - [09/Nov/2013:01:04:44 -0800] "GET / HTTP/1.1" 302 20 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)"
poczta.chmuri.net - - [09/Nov/2013:01:04:22 -0800] "GET /video.php?vid=38929 HTTP/1.1" 404 937 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16"
Now, its the "weird malicious attacks" that have me piqued. Instead of having an IP address in the first column, they have some sort of domain name.Has anyone encountered this before?
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke
_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke
--
Regards,
Peter Karunyu
-------------------
_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke