Recently seeing a bunch of 400s

Neil Sheth nsheth at gmail.com
Wed Dec 3 07:49:10 MSK 2008


We're seeing a complaint from a user, pretty sure they aren't up to
anything nefarious!

On Tue, Dec 2, 2008 at 8:41 PM, Dave Cheney <dave at cheney.net> wrote:
>
> They are most likely bots probing port 80 on your server, then closing the
> connection without sending a request.
>
> Whois and host suggest that those are home ip's on cable modems. You could
> try running P0f or tcpdumping the traffic to see what they are doing.
>
> Cheers
>
> Dave
>
>
> On Tue, 2 Dec 2008 20:25:01 -0800, Neil Sheth <nsheth at gmail.com> wrote:
>> Hello,
>>
>> I'm seeing a bunch of entries like the following in my nginx access log:
>>
>> 88.147.21.24 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
>> 72.14.204.136 - - [02/Dec/2008:04:16:43 -0600] "-" 400 0 "-" "-"
>> 88.147.21.24 - - [02/Dec/2008:04:16:46 -0600] "-" 400 0 "-" "-"
>> 88.147.21.24 - - [02/Dec/2008:04:16:48 -0600] "-" 400 0 "-" "-"
>> 88.147.21.24 - - [02/Dec/2008:04:16:51 -0600] "-" 400 0 "-" "-"
>> 72.39.110.147 - - [02/Dec/2008:04:16:53 -0600] "-" 400 0 "-" "-"
>> 88.147.21.24 - - [02/Dec/2008:04:16:54 -0600] "-" 400 0 "-" "-"
>> 67.165.72.106 - - [02/Dec/2008:04:16:56 -0600] "-" 400 0 "-" "-"
>> 88.147.21.24 - - [02/Dec/2008:04:16:57 -0600] "-" 400 0 "-" "-"
>> 82.37.232.219 - - [02/Dec/2008:04:17:00 -0600] "-" 400 0 "-" "-"
>> 220.255.7.179 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
>> 220.255.7.218 - - [02/Dec/2008:04:17:39 -0600] "-" 400 0 "-" "-"
>> 72.21.243.194 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
>> 220.255.7.141 - - [02/Dec/2008:04:17:41 -0600] "-" 400 0 "-" "-"
>> 220.255.7.162 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
>> 220.255.7.184 - - [02/Dec/2008:04:17:42 -0600] "-" 400 0 "-" "-"
>>
>> and so on . . .
>>
>> I'm running 0.6.32.  A bit of a loss as to where to start looking -
>> any suggestions?
>>
>> Thanks!
>
>





More information about the nginx mailing list