so I am going through these apache access logs and I'm noticing some entries with multiple IP's in the requesters IP address column. Mainly entries that will have two or three different IP's or even and "unknown".
<block>unknown, 81.19.80.111 - - [06/Aug/2010:14:11:48 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>192.168.1.70, 212.112.110.116 - - [06/Aug/2010:14:18:59 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>83.149.21.29, 80.239.243.53 - - [06/Aug/2010:18:57:45 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>10.5.1.133, 10.5.1.5, 195.20.166.2 - - [06/Aug/2010:08:00:16 +0400] "GET / HTTP/1.0" 200 41427</block>
I honestly cannot think of why there would be multiple IP's listed. I guess the other thing that strikes me as odd is that 90% of the time one of the two IP's is an RFC 1918 address. So would this be an internal host with multiple interfaces?
<block>unknown, 81.19.80.111 - - [06/Aug/2010:14:11:48 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>192.168.1.70, 212.112.110.116 - - [06/Aug/2010:14:18:59 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>83.149.21.29, 80.239.243.53 - - [06/Aug/2010:18:57:45 +0400] "GET / HTTP/1.0" 200 41574</block>
<block>10.5.1.133, 10.5.1.5, 195.20.166.2 - - [06/Aug/2010:08:00:16 +0400] "GET / HTTP/1.0" 200 41427</block>
I honestly cannot think of why there would be multiple IP's listed. I guess the other thing that strikes me as odd is that 90% of the time one of the two IP's is an RFC 1918 address. So would this be an internal host with multiple interfaces?
I was reading on the access log format for apache. Documentation on apache 2.3 doesn't say anything about multiple ip's in that variable (%h).
http://httpd.apache.org/docs/trunk/logs.html#accesslog
Do you think they could be virtual host logs?
http://httpd.apache.org/docs/trunk/logs.html#virtualhost
http://httpd.apache.org/docs/trunk/vhosts/
I don't see any other explanation in the documentation. You might also want to check the "LogFormat" options in your config. No clue otherwise.
http://httpd.apache.org/docs/trunk/logs.html#accesslog
Do you think they could be virtual host logs?
http://httpd.apache.org/docs/trunk/logs.html#virtualhost
http://httpd.apache.org/docs/trunk/vhosts/
I don't see any other explanation in the documentation. You might also want to check the "LogFormat" options in your config. No clue otherwise.
yeah I had been looking at the apache site log format and done some searching around on google but i can't find any mention of it anywhere. it's kind of driving me crazy but oh well.
what does your LogFormat have listed in your apache config?
I don't know. These aren't my logs and I don't have access to the apache config. Just realized they are all HTTP/1.0 requests as well. weird.
dig -x is your friend.
For example on the third entry:
83.149.21.29: gprs-user-29.21.149.83.in-addr.arpa
80.239.243.53: v18-05.opera-mini.net
So this is a proxy for the Opera Mini browser.
The second and fourth entries have IP's in the RFC1918 range. I suspect proxies for those as well.
The first probably sends some header suggesting the connection is behind as proxy and not direct, but the proxy doesn't send a X-Forwarded-For or similar header.
I believe many browsers still use HTTP/1.0 for proxies by default. So that would explain that too.
For example on the third entry:
83.149.21.29: gprs-user-29.21.149.83.in-addr.arpa
80.239.243.53: v18-05.opera-mini.net
So this is a proxy for the Opera Mini browser.
The second and fourth entries have IP's in the RFC1918 range. I suspect proxies for those as well.
The first probably sends some header suggesting the connection is behind as proxy and not direct, but the proxy doesn't send a X-Forwarded-For or similar header.
I believe many browsers still use HTTP/1.0 for proxies by default. So that would explain that too.
:D
wow thanks carpetsmoker.
At your service :-)
Again, dig -x is your friend. If you see an IP address and think "hmm" for whatever reason, a good thought to have next is "dig -x" (Or google "online reverse dns lookup" if you're stuck in windows).
If that doesn't answer it, a RIPE db lookup is the next thing to do.
Again, dig -x is your friend. If you see an IP address and think "hmm" for whatever reason, a good thought to have next is "dig -x" (Or google "online reverse dns lookup" if you're stuck in windows).
If that doesn't answer it, a RIPE db lookup is the next thing to do.
i actually have dig on windows. got it here
wish windows had strace....
it used to...