Recently seeing a bunch of 400s

Dave Cheney dave at cheney.net
Wed Dec 3 07:41:16 MSK 2008


They are most likely bots probing port 80 on your server, then closing the
connection without sending a request.

Whois and host suggest that those are home ip's on cable modems. You could
try running P0f or tcpdumping the traffic to see what they are doing.

Cheers

Dave


On Tue, 2 Dec 2008 20:25:01 -0800, Neil Sheth <nsheth at gmail.com> wrote:
> Hello,
> 
> I'm seeing a bunch of entries like the following in my nginx access log:
> 
> 88.147.21.24 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
> 72.14.204.136 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
> 88.147.21.24 - - [02/Dec/2008:04:16:46 -0600] "-" 400 0 "-" "-"
> 88.147.21.24 - - [02/Dec/2008:04:16:48 -0600] "-" 400 0 "-" "-"
> 88.147.21.24 - - [02/Dec/2008:04:16:51 -0600] "-" 400 0 "-" "-"
> 72.39.110.147 - - [02/Dec/2008:04:16:53 -0600] "-" 400 0 "-" "-"
> 88.147.21.24 - - [02/Dec/2008:04:16:54 -0600] "-" 400 0 "-" "-"
> 67.165.72.106 - - [02/Dec/2008:04:16:56 -0600] "-" 400 0 "-" "-"
> 88.147.21.24 - - [02/Dec/2008:04:16:57 -0600] "-" 400 0 "-" "-"
> 82.37.232.219 - - [02/Dec/2008:04:17:00 -0600] "-" 400 0 "-" "-"
> 220.255.7.179 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
> 220.255.7.218 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
> 72.21.243.194 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
> 220.255.7.141 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
> 220.255.7.162 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
> 220.255.7.184 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
> 
> and so on . . .
> 
> I'm running 0.6.32.  A bit of a loss as to where to start looking -
> any suggestions?
> 
> Thanks!





More information about the nginx mailing list