Strange connections to Apache from

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

In my (default) access.log I find these connections from with
an invalid HTTP request: - - [16/Jan/2007:17:25:23 +0100] "GET /" 400 584 "-" "-" - - [16/Jan/2007:17:25:26 +0100] "GET /" 400 584 "-" "-"

I cannot figure out what causes these connections. What disturbs me is:
- The HTTP request is invalid: The response is 400 (Bad Request)
- It is originating locally
- There is no User-Agent identification string
- It cannot be a cron job. Those requests appear at irregular times.
  There might be a distance of 10 minutes, but not necessarily. There
  might be a sequence of 3 in a row (every second), but not
  necessarily. Examples of such consecutive requests:
  12:57:18, 19, 20
  13:07:23, 24, 25
  13:17:26, 27, 28
  17:25:23, 26
  19:13:41, 42, ... every second until 19:14:15
  So it actually can't be a cron job.

No entries occur in the error.log.

In Google I only found few cases where people had exactly the same
phenomenon, but I found no hint what it could be.

I'm monitoring HTTP from a monitoring host, but those requests show the
correct remote IP and a correct HTTP request. The only local monitoring
tool I have running is cacti, but that doesn't do any HTTP requests.
The AWStats cron-job actually *is* running every 10 minutes, but I
couldn't find a location in the perl-script where those requests could be

I have to assume that I have an intruder in my system until I find out
the opposite.

Thanks for any hints!

Best regards

Re: Strange connections to Apache from

Quoted text here. Click to load it

I think I found out the opposite. I can reproduce that log lines.

I have a PHP weblog installed (Serendipity), and after requesting
certain pages with my browser, those requests show up
*exactly* 20 seconds later. First I thought that those log lines had
something to do with the mimeTeX plugin: A reference to the PHP file
including some GET parameters is embedded in the HTML as image. The PHP
script calls LaTeX to render the output and generate an image, which is
then sent back by the web server. But I think I also could produce that requests with other images I uploaded into Serendipity.

It appears that those locally originating requests have their cause in
some kind of timeout. I'll ask the Serendipity guys.



Re: Strange connections to Apache from

Quoted text here. Click to load it

For the sake of completeness, I also post my solution here:

I finally found out that this ought to be Apache-2.2's internal dummy
connections. They had the above form as long as my Apache-SSL config
looked like

NameVirtualHost *:443
<VirtualHost *:443>

Now, I use the IP instead of the `*' and - lo and behold - the
transform into - - [21/Feb/2007:19:08:52 +0100] "GET / HTTP/1.0" 200 3202
"Apache/2.2.3 (Debian) PHP/5.2.0-8 mod_ssl/2.2.3 OpenSSL/0.9.8c
(internal dummy connection)"

I didn't want to spend much time trying to understand what that dummy
connections are good for. It seems like Apache2 kills some of its
children such that the number of MaxSpareServers isn't exceeded. And I
wasn't aware that the Apache syntax `*:443' is somehow deprecated.

Best regards

Site Timeline