Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Help with IP Addresses Passed by Apache in Header

Need help to stop server break-in attempts.

4:26 pm on Jan 20, 2013 (gmt 0)

New User

5+ Year Member

joined:Jan 12, 2009
posts: 24
votes: 0


We have a server configured using Apache 2.2.13. We also have some custom database software running on the machine with its own Apache CGI which has a special command in it to determine what IP address a request is coming from.

Yesterday, someone was trying to break into our database using thousands of queries. I noticed the IP address in our logs initially, so I knew what IP address to try to block, but then the IP address from the "hacker" started appearing as just two colons (::) in our logs.

What I'm wondering, are there two different IP addresses Apache is handling for each request? In other words, is there the "real" IP address where data is being sent to and from, then perhaps a second IP address stuck in the header, that perhaps can be spoofed?

Our database programmer who wrote the CGI that connects it to Apache said he just gets the IP address from Apache, but he programmed this years ago, and doesn't remember from where or how.

So, I'm just wondering, if someone is blocking their IP address with :: how do they get data back? Is it like I am guessing, there is the real IP address and a second IP address specified in the header that can be spoofed?

Any clarification would be very helpful. Thank you!

- Jeff Gold
4:46 pm on Jan 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
votes: 3

the lack of the complete log entry is simply an overload on your database and/or the software (CGI script) that runs it.

Most raw logs (even under normal circumstance) have an occasional hiccup and an odd-date-line appears incomplete.