1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 9:51 am May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Raw Access Log vs Request Header Log: Differences, Spammer Message

         

TorontoBoy

11:07 pm on Nov 14, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



Someone spammed my WP site, so of course I will hunt them down. I found some major differences between my raw access and request header logs.

For other requests for the same day, same access logs, other than my standard 5 hr time difference, both logs agree perfectly. For example on the same day:
40.77.167.52 [31/Oct/2018:20:00:54 GET /wp/tag/mozilla/ HTTP/1.1 200 37309 - Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

2018-11-01:00:00:54
URL: /wp/tag/mozilla/
IP: 40.77.167.52
Accept: */*
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Connection: Keep-Alive
Host: example.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

This spammer left a spam message. From WP's Admin, in Akismet I see the message, and this correlates with my request header log, in time/date, request URL, and IP. However, I cannot find this POST in my raw access log. I searched the header request log for that IP and found 5 hits, all of which are not in my raw access log. These are full WP pages, which should always be logged in both the raw access log and request header log. I have searched for unique UA, specific time/date, specific request URL, all which I cannot correlate in my raw access log. More interestingly, all 5 requests include an Accept-Language: en-US,en;q=0.9. This should be a human? The IP is from a local Canadian residential ISP, who's IP changes regularly. The IP could have been faked.

No harm no foul, but how can the two logs be so different? Is there some way that a hacker can bypass Apache's raw access logging? It looks like I was visited by a ghost.

All other spam comments can be located in both logs, time/date, IP, UA, requested resource, all the same.
2018-11-01:13:52:51
URL: /wp/2017/02/09/parking-ticket-city/
IP: 72.140.15.233
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Host: example.com
Referer: [google.ca...]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

2018-11-01:13:58:19
URL: /wp/about/
IP: 72.140.15.233
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: _ga=GA1.2.1188622668.1541080374; _gid=GA1.2.552652599.1541080374
Host: example.com
Referer: https://example.com/wp/2017/02/09/parking-ticket-city/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

2018-11-01:13:58:28
URL: /wp/drupal-6/
IP: 72.140.15.233
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: _ga=GA1.2.1188622668.1541080374; _gid=GA1.2.552652599.1541080374; _gat=1
Host: example.com
Referer: https://example.com/wp/about/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

2018-11-01:14:07:08
URL: /wp/drupal-6/comment-page-1/
IP: 72.140.15.233
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Cookie: _ga=GA1.2.1188622668.1541080374; _gid=GA1.2.552652599.1541080374
Host:example.com
Referer: https://example.com/wp/drupal-6/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

2018-11-01:14:15:26
URL: /wp/2017/02/09/parking-ticket-city/
IP: 72.140.15.233
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: _ga=GA1.2.1188622668.1541080374; _gid=GA1.2.552652599.1541080374
Host:example.com
Referer: [google.ca...]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

Do you see anything odd in my request header log entries?

[edited by: TorontoBoy at 12:18 am (utc) on Nov 15, 2018]

tangor

12:10 am on Nov 15, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



One needs to ask where the fake can be had ... the raw log or the header log?

Unless you don't trust the raw log, I would look at the header log...

Then again, I don't run WP so the comment might mean nothing.

TorontoBoy

12:17 am on Nov 15, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



A spam comment need not have their real IP because after posting spam they do not care about a return result. Therefore spammers often use someone else's IP.

I would expect that the IP used, fake or real, should be the same in both the raw access log and the request header log. One entry should not be missing.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 9:51 am May 1, 2026