> As the rest of the logs are fine my guess is the spammer is using some
> control character sequence which is corrupting parsing of the logs for
> IP address
I seriously doubt that.
Consider the complexity of a crafted sequence that just erases the IP
address, but leaves the rest of the log intact. Now compare that to a
sequence that just destroys the line.
The latter would be mnuch more useful to someone trying to cover their
tracks, and also simpler to implement.
But before we get there, there would need to be a serious vulnerability in
Apache that permitted such actions.
> (I spent most of last year trawling though web access logs
> and didn't see this type of log entry).
I've never seen that type of log entry - and I've seen many thousands of
attempted code injections of one type or another. That's why I suspect
this might be a misfiring log rule, and it's why I suggested you check
your log format directives in the config file.
> te01.techentrance.com - - [15/Jul/2010:22:22:22 -0600] "GET
> /cgi-bin/forum.pl HTTP/1.0" 403 745 "http://silverwing.org" "Mozilla/5.0
> (X11; U; Linux i686; en-GB; rv:1.9.2.4) Gecko/20100622
> Fedora/3.6.4-1.fc13 Firefox/3.6.4"
Right - this shows the problem up completely.
Your server is doing reverse DNS lookups, rather than just logging the IP
address. So what you've had previously is an IP address with a reverse DNS
of "." - I've seen that before.
Check your config file for the HostnameLookups directive - I recommend
this be set to "Off".
Vic.
