On 16/07/10 11:49, Vic wrote:
>
>> As the rest of the logs are fine my guess is the spammer is using some
>> control character sequence which is corrupting parsing of the logs for
>> IP address
>
> I seriously doubt that.
>
> Consider the complexity of a crafted sequence that just erases the IP
> address, but leaves the rest of the log intact. Now compare that to a
> sequence that just destroys the line.
>
> The latter would be mnuch more useful to someone trying to cover their
> tracks, and also simpler to implement.
>
> But before we get there, there would need to be a serious vulnerability in
> Apache that permitted such actions.
>
>> (I spent most of last year trawling though web access logs
>> and didn't see this type of log entry).
>
> I've never seen that type of log entry - and I've seen many thousands of
> attempted code injections of one type or another. That's why I suspect
> this might be a misfiring log rule, and it's why I suggested you check
> your log format directives in the config file.
>
>> te01.techentrance.com - - [15/Jul/2010:22:22:22 -0600] "GET
>> /cgi-bin/forum.pl HTTP/1.0" 403 745 "http://silverwing.org" "Mozilla/5.0
>> (X11; U; Linux i686; en-GB; rv:1.9.2.4) Gecko/20100622
>> Fedora/3.6.4-1.fc13 Firefox/3.6.4"
>
> Right - this shows the problem up completely.
>
> Your server is doing reverse DNS lookups, rather than just logging the IP
> address. So what you've had previously is an IP address with a reverse DNS
> of "." - I've seen that before.
>
> Check your config file for the HostnameLookups directive - I recommend
> this be set to "Off".
>
> Vic.
>
Excellent, that makes sense and I did think of that (honest) but then
dismissed it as not being possible!
John.
--
--------------------------------------------------------------
Discover Linux - Open Source Solutions to Business and Schools
http://discoverlinux.co.uk
--------------------------------------------------------------
