next »

[lamontagne]

possibly they are ipv6 ? i dunno, sounds odd. you arent running php on iis by chance are you?

edit*** i say ipv6 because i think they come through in diff format on the php remote_addr variable and you might have some regex failing or data storage issue

[nutballs]

Hmm that's 2 of you now say ip6. Hmm. I know, if ip longer than 15 save to file. That should do it.

[lamontagne]

oops, didnt notice that perks already said it...

[nutballs]

heh. well you just made me actually consider it. I just ignored perk for some reason.

Actually the reason is, that I don't think my switch supports ip6, so I didnt even think of it. I keep forgetting this data is coming from servers where the infrastructure is out of my control.

Perk, that brings up a point... Do you think GetNet supports IP6 to the rack? obviously those cisco switches probably dont; but everything upstream might?

[perkiset]

Hmmm... good question and I've no answer. That's a jeffPing I believe. Claude would've known 

[nutballs]

this is driving me fucking bonkers.

Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)

left no IP on one of the hits. SO.
This is obviously a problem on my end...

PHP

                     /"\
                    |\./|
                    |   |
                    |   |
                    |>~<|
                    |   |
                 /'\|   |/'\..
             /~\|   |   |   | \
                 |   =

• =   |   |  \

            |   |   |   |   |   \
            | ~   ~   ~   ~ |`   )
            |                   /
             \                 /
              \               /
               \    _____    /
                |--//''`\--|
                | (( +==)) |
                |--\_|_//--|

[lamontagne]

Are all of these requests that have no ip from bots? I'm guessing that your phone home system is setup to pass the ip through the querystring.. aka:

http://phonehomeserver.com/log.php?ip=127.0.0.1

is there a chance that somehow the url for this phonehome script got leaked and now the bots are crawling it and not passing the ip, aka...

http://phonehomeserver.com/log.php

the only thing that throws this off is the fact that you said user agent etc gets passed, but would the log.php default to the user agent of the requester if no user-agent is passed in the url...I looked for any bugs but I couldn't find any for this problem that didn't have to do with iis or with a version of php before 4.0....I'm just suggesting that somehow they got ahold of the phone home script address because the user agent for these two "null" ip visitors you have posted are bot user agents...

Edit***

I am not familiar with shorthand if/then statements (like in the code you posted)... but would it be possible for me to pass a space character or something else in the HTTP X FORWARD and your log script would log it as though it was blank... perhaps someone could translate that code for me so I can understand it? (I know, I'm ashamed I don't understand shorthand yet, but things like that usually get me in trouble with debugging so I don't bother)

[perkiset]

An interesting point...

the code that NBs showed will look for emptiness (ie., either integer 0, string '0', false, and empty array etc) in those variables and degrade down through each one, until it passes a default value back.

If that function returned a blank, I'd quickly gin up an HTTP request to phone home and post all the headers and the content of the message right quick, including doing something like:

$ipBlock = <<<TEXT
Client_IP=({$_SERVER['HTTP_CLIENT_IP']})
Forwarded: ({$_SERVER['HTTP_X_FORWARDED_FOR']})
Remote_addr: ({$_SERVER['REMOTE_ADDR']}}
TEXT;

... even though they may be empty. This is weird enough that I'd want every friggin symptom I could possibly get my hands on. Just did a bit of quick looking - it seems that *everyone* assumes that Apache hooks the initial IP address and that is what's passed on to PHP - but I'm wondering, particularly since that's from China, if there's a way (akin to what VSloathe was creeping us out about the other day) to spoof that satisfactorily... or if PHP actually receives it's data from stdin rather than the Apache API hooks. You might want to write something to try to reconcile the Apache logs to your calls and see what's coming in.

[nutballs]

not just china, not just bots. It is seemingly completely random, and I am now positive that it is at the PHP level, because I could find the same exact entries in the weblogs, with an IP, but in my DB, there its blank.

I don't really know how this is possible though, because I am just sending via querystring,
$url .= 'ip='.urlencode($_SERVER['REMOTE_ADDR']);

I am going to bolt on the whole $_SERVER array and store that as well for a while. It's just that will slow stuff down a bit since its about 20 times bigger than the original parameters and I have 100's a second coming in. A short duration test will hopefully be enough.

[serialnoob]

While coding a log system based on some of Perk's code here I had a similar issue on an hosted server, with no ip or strange ones that would not pass the ip check. I ended up reading this www.iana.org/faqs/abuse-faq.htm. my 2ct!

[nutballs]

Interesting. I don't think that was my issue though.