rescueme - 4:26 pm on Jan 20, 2013 (gmt 0)
We have a server configured using Apache 2.2.13. We also have some custom database software running on the machine with its own Apache CGI which has a special command in it to determine what IP address a request is coming from.
Yesterday, someone was trying to break into our database using thousands of queries. I noticed the IP address in our logs initially, so I knew what IP address to try to block, but then the IP address from the "hacker" started appearing as just two colons (::) in our logs.
What I'm wondering, are there two different IP addresses Apache is handling for each request? In other words, is there the "real" IP address where data is being sent to and from, then perhaps a second IP address stuck in the header, that perhaps can be spoofed?
Our database programmer who wrote the CGI that connects it to Apache said he just gets the IP address from Apache, but he programmed this years ago, and doesn't remember from where or how.
So, I'm just wondering, if someone is blocking their IP address with :: how do they get data back? Is it like I am guessing, there is the real IP address and a second IP address specified in the header that can be spoofed?
Any clarification would be very helpful. Thank you!
- Jeff Gold