# Apache2 logs some STRANGE ip addresses... [SOLVED]

## thoughtform

after updating and rebooting my machine last night, i've noticed some strange ip's everytime someone hits my apache server.

the logs look like this:

0.98.189.183 - - [29/Jan/2007:06:05:14 -0500] "GET /heart.jpg HTTP/1.1" 200 43208

0.98.189.183 - - [29/Jan/2007:06:05:14 -0500] "GET /heart.jpg HTTP/1.1" 200 43208 "-" "Opera/9.10 (Windows NT 5.1; U; en)"

0.98.189.183 - - [29/Jan/2007:06:05:29 -0500] "GET /heart.jpg HTTP/1.1" 304 -

0.98.189.183 - - [29/Jan/2007:06:05:29 -0500] "GET /heart.jpg HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;

0.98.189.183 - - [29/Jan/2007:06:07:27 -0500] "GET /heart.jpg HTTP/1.1" 200 43208

0.98.189.183 - - [29/Jan/2007:06:07:27 -0500] "GET /heart.jpg HTTP/1.1" 200 43208 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Wi

0.98.189.183 - - [29/Jan/2007:06:07:36 -0500] "GET /favicon.ico HTTP/1.1" 404 317

0.98.189.183 - - [29/Jan/2007:06:07:36 -0500] "GET /favicon.ico HTTP/1.1" 404 317 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Wi

0.146.204.183 - - [29/Jan/2007:06:24:37 -0500] "GET / HTTP/1.1" 200 354

0.146.204.183 - - [29/Jan/2007:06:24:37 -0500] "GET / HTTP/1.1" 200 354 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;

0.146.204.183 - - [29/Jan/2007:06:24:48 -0500] "GET / HTTP/1.1" 200 354

0.146.204.183 - - [29/Jan/2007:06:24:48 -0500] "GET / HTTP/1.1" 200 354 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US;

0.146.204.183 - - [29/Jan/2007:06:24:48 -0500] "GET /blacklight.jpg HTTP/1.1" 304 -

0.146.204.183 - - [29/Jan/2007:06:24:48 -0500] "GET /blacklight.jpg HTTP/1.1" 304 - "http://scorpaen.no-ip.com/" "Mozilla/5

you can even see in the root page when you visit it it doesn't show your IP address, just some strange one starting with 0.

I have not changed apache's config lately and I'm completely lost as to why this is happening.

if you want to look for yourself, just browse to

http://scorpaen.no-ip.com

thanksLast edited by thoughtform on Tue Jan 30, 2007 4:02 am; edited 1 time in total

----------

## bunder

 *Quote:*   

> Your IP is: 0.146.204.183

 

lies!   :Laughing: 

----------

## thoughtform

thanks for bumping me out of the 'unanswered posts' with your useless reply, Bunder.

 :Evil or Very Mad: 

----------

## elgato319

could you post your LogFormat Lines from httpd.conf

httpd.conf

```
#

# The following directives define some format nicknames for use with

# a CustomLog directive (see below).

#

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost
```

Is http://scorpaen.no-ip.com/ using some script to show me my ip adress?

 *Quote:*   

> 
> 
> Your IP is: 0.146.204.183
> 
> 

 

This is definitly not the right one.

----------

## thoughtform

logformat lines from httpd.conf

```
#

# The following directives define some format nicknames for use with

# a CustomLog directive (see below).

#

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost

# You need to enable mod_logio.c to use %I and %O

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

#

# The location and format of the access logfile (Common Logfile Format).

# If you do not define any access logfiles within a <VirtualHost>

# container, they will be logged here.  Contrariwise, if you *do*

# define per-<VirtualHost> access logfiles, transactions will be

# logged therein and *not* in this file.

#

CustomLog logs/access_log common

```

and the script for showing your ip address:

```
<?php $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

echo 'Your IP is: '.$ip; ?>

<br>

<p>Your browser information is:</p>

<?php echo (

browser_detection( 'browser' ) .'<br>'.

browser_detection( 'os' ) .'<br>'.

browser_detection( 'os_number' ) );

?>

</body>

</html>

```

i THINK that's the code that shows your IP. it's a php script i borrowed.

all this was working until i rebooted last night. :s

----------

## elgato319

seems like $_SERVER['REMOTE_ADDR'] is giving out a totally wrong ip adress, because apache fails to get the right one somehow.

did you update apache/php recently?

could you show us some output from phpinfo(); ?

maybe it´s this bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=41404

----------

## thoughtform

i've found the culprits.

i just did an emerge --sync and emerge -uD world,

these two packages were downgraded.

i installed them and rebooted, and IP addresses are being reported correctly now.

1170127343:  === (1 of 5) Post-Build Cleaning (dev-libs/apr-0.9.12::/usr/portage/dev-libs/apr/apr-0.9.12.ebuild)

1170127343:  ::: completed emerge (1 of 5) dev-libs/apr-0.9.12 to /

1170127343:  >>> emerge (2 of 5) dev-libs/apr-util-0.9.12 to /

1170127343:  === (2 of 5) Cleaning (dev-libs/apr-util-0.9.12::/usr/portage/dev-libs/apr-util/apr-util-0.9.12.ebuild)

1170127344:  === (2 of 5) Compiling/Merging (dev-libs/apr-util-0.9.12::/usr/portage/dev-libs/apr-util/apr-util-0.9.12.ebuild)

1170127387:  >>> AUTOCLEAN: dev-libs/apr-util

1170127392: === Unmerging... (dev-libs/apr-util-0.9.13)

1170127393:  >>> unmerge success: dev-libs/apr-util-0.9.13

1170127393:  === (2 of 5) Post-Build Cleaning (dev-libs/apr-util-0.9.12::/usr/portage/dev-libs/apr-util/apr-util-0.9.12.ebuild)

1170127393:  ::: completed emerge (2 of 5) dev-libs/apr-util-0.9.12 to /

----------

## gnork

I can second that, dev-libs/apr und dev-libs/apr-util > 0.9.12 are responsible for the strange IPs in the logs.

----------

