apache2 access log
Ken Moffat
kmoffat
Wed Aug 2 07:26:41 PDT 2006
Kurt Wall wrote:
> On Tue, Aug 01, 2006 at 10:14:27PM -0700, Ken Moffat wrote:
>
>> I'm getting a ton of of these entries in /var/log/apache2/access.log and
>> wonder if it's possible to block this stuff, even though the address
>> does not resolve to an ip address?
>>
>
> Yes, you can do that. But, whoever it is has an IP address, you're just
> not capturing it in your log. Disable HostnameLookups in httpd.conf
> and you'll get the IP from which the GET originates. As a bonus, disabling
> HostnameLookups will also speed up your server. You can use some other
> tool for offline look-ups (logresolve comes to mind, but there are
> many such toolsl).
>
>
>> web-r9-h71.globecorp.net - - [01/Aug/2006:21:58:55 -0700] "GET /
>> HTTP/1.1" 200 988 "http://www.midmojobs.com/50t9y/p5vzk.html"
>>
>
> % whois midmojobs.com
>
> Domain Name: MIDMOJOBS.COM
>
>
> Kurt
> ________________
>
Thanks for the answer.
I have "HostnameLookups off" in /etc/apache2/apache2.conf. Most log
entries look like this:
206.188.34.200 - - [16/Jul/2006:12:01:46 -0700] "GET / HTTP/1.1" 200 988
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4)
Gecko/20060508 Firefox/1.5.0.4"
I am trying to block "web-r9-h71.globecorp.net", which seems to be
where these accesses are originating, and doesn't show up in a whois
search. Or am I misreading the log?
Those midmojobs.com pages show only a blank page in firefox, and the
following when viewed as source:
<SCRIPT language=JavaScript src='/ielib_it.js'></SCRIPT><SCRIPT language=JavaScript>pcsfqr('1','','');</SCRIPT
Can this be some providers (Globalcorp.net?) attempt to increase access
counts to their webpages?
Here is this mornings "tail /var/log/apache2/access.log":
# tail /var/log/apache2/access.log
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/vlpy9/3u2fg.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/vqhjp/770a9.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/vyp4j/f0il6.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/vb52n/eb4wt.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/x00ru/hexzv.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/xboct/rkgny.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/xeqru/3vfa6.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/81ga9/w1fhw.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
web-r9-h71.globecorp.net - - [02/Aug/2006:07:17:52 -0700] "GET /
HTTP/1.1" 200 988 "http://www.midmojobs.com/a4keb/g6oiy.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
fwbg2bibae01-vlan3501.woo - - [02/Aug/2006:07:18:33 -0700] "GET
/robots.txt HTTP/1.1" 200 227 "-" "Mozilla/4.0 (compatible; MSIE 5.0;
Windows 95) VoilaBot BETA 1.2 (http://www.voila.com/)"
One oddball at the end, but each globalcorp.net page is slightly
different, and I am getting hundreds of these per hour.
More information about the Linux-users
mailing list