|Log shows localhost rather than IP|
I have a band's website that I maintain and looking at the log this morning I noticed some entries that I have never seen before, on any of my sites. Instead of showing the IP the log shows the request as coming from "localhost - -"
Here is a sample entry
localhost - - [13/Apr/2005:02:42:22 -0400] "GET /Downloads/I_love_widgets.mp3 HTTP/1.1" 200 95961 "http://www.thebestbandeverinthehistoryofexamples.com/band.html" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
I have 5 entries like the above, all links from that same site to an mp3 file on my site, each of them about two minutes apart. Why would it show localhost rather than the IP? This concerned me and I spent several hours searching with google and couldn't find any references to anything similar.
I went to the "bestbandeverinthehistoryofexamples" site and clicked on the link back to the mp3 on my site, then checked the log and it showed my IP and everything was correct.
Anyone ever seen this before, or have any ideas why?
[edited by: trillianjedi at 3:44 pm (utc) on April 14, 2005]
[edit reason] Examplified [/edit]
|Instead of showing the IP the log shows the request as coming from "localhost - -" |
from the appearance of "localhost" it seems that you have enabled the reverse lookup feature in apache to show you the PTR names of IP addresses where they are available, and show you just the IP address where no PTR record exists in the DNS.
This "localhost" now may come from 2 sources:
-1- you have a local user on your server box reading your pages thru a web interface on 127.0.0.1. Maybe.
-2- you have a visitor with a ... hmm let's say 'cloaked' or faked PTR record in the DNS just resolving his IP address 10.22.33.44 to a faked "localhost." instead of a real domain name which would forward resolve. Technically, this is not a problem, and there is no technical need that a PTR name has to forward resolve and both being the same -- however, it is a sign of sloppy or clueless bad practice network administration, if not malicious intent.
While this "localhost" is very obvious (I also have seen a plain "." so far), a faked PTR name "1.2.3-this.example.com" while it in fact should have been "9.8.7.other.host" would go by nearly unnoticed at all.
To overcome those guys hiding behind faked PTR names I generally and always record the pure IP address. This is necessary if you would ever go after abusive or malicious activities -- the only proof you can have is in the IP address, not in a faked PTR name.
Don't trust in PTR names. They may be OK -- or not.
Additionally, a general block of appartently invalid fake host names of "." or "localhost" (if not associated with 127.0.0.0/24) in the .htaccess may help.
They have a hosted site with a provider, it's a typical virtual host setup, so I don't have much control other than the use of .htaccess files. The provider does have it configured for reverse lookup as the PTR names are already in the combined access_log.
You are probably correct about it being cloaked. It's a death metal music topic, and would likely be visited by many young adults, so the demographics would certainly fit that type of activity.
As I had never seen that in a log before I was concerned it was possibly a script that was running, as it seemed the request came from the localhost. Yet the log does show a referring site, and a legimate link to the file does exist on that site. It just didn't make sense so I wanted to find out more. I don't know what might have happened to the site before I took it over so thought I better investigate it a little.
But since it doesn't appear to be a security issue, I feel better about it now.. so I'll move on to the next fire I need to put out and just keep an eye on the logs.
Thanks for the reply