Recently seeing a bunch of 400s

Neil Sheth nsheth at gmail.com
Wed Dec 3 08:23:47 MSK 2008


Even seeing it in the log from one of Google's ips.  I'll look into
p0f / tcpdump (not familiar with either).  Anything else suggested?
Not sure where the request is getting malformed (if that's what's
going on).

On Tue, Dec 2, 2008 at 8:49 PM, Neil Sheth <nsheth at gmail.com> wrote:
> We're seeing a complaint from a user, pretty sure they aren't up to
> anything nefarious!
>
> On Tue, Dec 2, 2008 at 8:41 PM, Dave Cheney <dave at cheney.net> wrote:
>>
>> They are most likely bots probing port 80 on your server, then closing the
>> connection without sending a request.
>>
>> Whois and host suggest that those are home ip's on cable modems. You could
>> try running P0f or tcpdumping the traffic to see what they are doing.
>>
>> Cheers
>>
>> Dave
>>
>>
>> On Tue, 2 Dec 2008 20:25:01 -0800, Neil Sheth <nsheth at gmail.com> wrote:
>>> Hello,
>>>
>>> I'm seeing a bunch of entries like the following in my nginx access log:
>>>
>>> 88.147.21.24 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
>>> 72.14.204.136 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
>>> 88.147.21.24 - - [02/Dec/2008:04:16:46 -0600] "-" 400 0 "-" "-"
>>> 88.147.21.24 - - [02/Dec/2008:04:16:48 -0600] "-" 400 0 "-" "-"
>>> 88.147.21.24 - - [02/Dec/2008:04:16:51 -0600] "-" 400 0 "-" "-"
>>> 72.39.110.147 - - [02/Dec/2008:04:16:53 -0600] "-" 400 0 "-" "-"
>>> 88.147.21.24 - - [02/Dec/2008:04:16:54 -0600] "-" 400 0 "-" "-"
>>> 67.165.72.106 - - [02/Dec/2008:04:16:56 -0600] "-" 400 0 "-" "-"
>>> 88.147.21.24 - - [02/Dec/2008:04:16:57 -0600] "-" 400 0 "-" "-"
>>> 82.37.232.219 - - [02/Dec/2008:04:17:00 -0600] "-" 400 0 "-" "-"
>>> 220.255.7.179 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
>>> 220.255.7.218 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
>>> 72.21.243.194 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
>>> 220.255.7.141 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
>>> 220.255.7.162 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
>>> 220.255.7.184 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
>>>
>>> and so on . . .
>>>
>>> I'm running 0.6.32.  A bit of a loss as to where to start looking -
>>> any suggestions?
>>>
>>> Thanks!
>>
>>
>





More information about the nginx mailing list