SOLVED raw access log format - why sometimes ip and sometimes domain name?

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
Sorry, I did not find any explanation regarding raw access log entry format. Normally, I see all entries showing the ip the access is from. This seemed to change a couple of days ago, so I started seeing entries such as the IP with dashes rather than dots, combined with the host name, or things like "placeholder.sitelock.com" with no ip information, and some that are even more obscure. Sometimes I can get a dns ip from abuseipdb.com, sometimes I cannot. Is there are parameter somewhere that can be set so that every entry shows the ip? The change occurred with respect to my own access -- sometimes my ip is shown, sometimes with dashes and showing the company that provides my internet access.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,951
921
313
cPanel Access Level
Root Administrator
Hey there! I just checked my raw access logs for the month of June for a domain that gets a good amount of traffic, and all my entries in the downloaded .gz file were IP addresses. If you have root access to the server you can submit a ticket to our team so we can check this on our end, or you could contact your hosting provider to see if they have more details about this on their end, as there haven't been any changes that I am aware of that would alter how that is displayed.
 

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
Thank you! I previously contacted my hosting provider regarding this issue and their response was they know nothing about cpanel raw access logs, that they contract to a 3rd party. Which, I assume means cPanel. I have access to all of the raw access logs provided by cPanel in gz format, and there was a definite point in time when some (but not all) visitors began being reported in a "domain name" format. I don't know much about raw access logs, the most I could find on this is that apparently some visitors have the ability to specify the string that shows up in the logs in lieu of the IP. (But, the server response can't function without an actual IP address, as far as I know, so there must be a valid one reported to the apache server.) The most annoying part is I am now getting hackers who provide an untraceable domain name -- ie, doesn't show up in DNS search. I don't think I have what you refer to as "root access", if by that you mean access to the apache logs and the root of the computer on which my website runs. I have full access to my entire cPanel user area, including to the "logs" directory. The logs show a clear point in time when the logging changed (which coincidentally was right about the time I started blocking the heck out of the entire internet, including bingbot). I also now have another anomaly -- while the cPanel links to the "current" logs allow me to download the current logs, the links to the "archive" logs are now 404 for some reason. Yet the archive logs are all available, in the "logs" directory where they belong.
 

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
I checked the link you provided, I don't see a comment that suggests there was a change in the manner of reporting. It might coincide with the June 30 updates. However, I do remember seeing logs in this format in the past, but it may have been on my prior hosting company's cPanel. So, I wonder if it is "parameter" that is given to the apache conf or something. The following is the first occurrence on my most active site : 29.51.237.35.bc.googleusercontent.com - - [01/Jul/2021:13:49:06 -0700] "GET /robots.txt HTTP/1.0" 301 241 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)". The following is an example of the bingbot spam that was occurring every 1/2 second 24/7 for days and/or months and/or years (it was an idle site that I "thought" was only displaying a static index.html, but was joomla-hacked because I did not remove the joomla code I used before the static page:
207.46.13.109 - - [01/Jul/2021:12:32:55 -0700] "GET /MzZlNTlTNDI3ODNWNmU1cDg5MzRqZTU5 HTTP/1.1" 403 228 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +Bing Webmaster Tools)". Here is one of the format that is very difficult to block because I can't get an IP from DNS:
relay-24.y3k0.com - - [05/Jul/2021:11:58:07 -0700] "GET /.git/config HTTP/1.1" 301 246 "-" "Go-http-client/1.1". Once the hackers can provide gibberish aliases, then the number of such aliases becomes "infinite" and it becomes almost impossible to block the attacker(s). At least, without effectively shutting down my own website. (For instance, blocking the bingbot is counter-productive because then my pages fall out of the bing search engine.)

I think it must be parameter based somehow, because I have found cPanel users complaining that their raw access logs ONLY show IP numbers and no domain information ...
 
Last edited:

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
Ok, thanks for your assistance. I'm going to study apache configuration parameters. So, if I find the "switch", maybe I can ask my hosting company to ask their 3rd party manager to switch it back. Or something. (At least I have ruled out it being a cPanel issue). Thanks again.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,951
921
313
cPanel Access Level
Root Administrator
That sounds like an excellent plan to me!

I did look around in some places and I can't find exactly what that "switch" could be. Other guides out there not written by us also only make mention of the IP address option, as listed here:


so I would bet it's something on the host's side.
 

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
I wanted to add some additional information for the benefit of anyone who might be researching the issues in this thread. Hosting company says that adding hostname-based .htaccess filters will trigger hostname-lookup logging in the raw access logs. cPanel auto-adds the following, though I don't know whether this code would "count" as a trigger:

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

(See this post: Comodo entries added to htaccess)

I have yet to verify my hosting company's information. That is, I removed what I thought might be the "hostname-based" filtering tech support referred to, but as far as I can tell, my logs are still reporting hostname-lookup rather than IP. Also, I did not place any hostname-based filtering until I started seeing hostname-lookup in my logs, so I am skeptical that this is the issue. I might try a completely blank .htaccess on a subdomain to see if that gets me back to IP based logs (although I'm not sure whether the subdomain .htaccess would override the block list in the domain .htaccess). Experimentation continues, because 99.99% of my traffic consists of hacking attempts. But, I have reduced that by about 90% now. (I think that re-routing hackers to a page that logs and displays their IPs may have dissuaded some of the beginner-wannabe-hackers -- as opposed to the more professional ones.)

Hostname-lookup raw access reports are not problematic *except* when it reports a hostname that cannot be resolved via DNS lookup, and is a seemingly random string of some sort. I have yet to discover how this can happen -- presumably hostname-lookup actually makes a reverse-IP DNS query, so how do I end up with hostnames that cannot be found in DNS? One of the many internet mysteries ...

And further update: I did get my logs to revert to reporting IPs and not hostname_lookup. I took out all of the "deny [hostname]" entries. That did not work until I ALSO discovered that I had inadvertently entered an IP deny as "xxx-xxx-xxx-xxx". I corrected that entry to "deny xxx.xxx.xxx.xxx" and "problem solved". [Although, I kinda like being able to block hostnames ... but then I get entries with no IP. What to do? Maybe I will try having one domain using hostnames and another using IPs so that when hackers hit my site(s), I will get a log with the IP address AND a log with the hostname address. Conundrum.]
 
Last edited:

eagleapk11

Registered
Jul 28, 2021
2
1
0
islamabad
cPanel Access Level
Website Owner

Found it! "If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. " Now to get my hosting company to change it back. (Apache actually recommends not turning it on because it can slow down the server.)

Sorry, I don't know how to mark thread "solved"!
Thankyou for providing this. i solved my problem. i was facing the same problem from last week but i found this thread.
 
  • Like
Reactions: cPRex

basd

Member
Jul 4, 2021
7
0
1
california
cPanel Access Level
Website Owner
I have learned there is another aspect to this. It seems if my .htaccess has certain blocks (not sure what, but presumably hostname blocks) it will turn hostnamelookup on. For webmasters who want to have the hostnames logged and block by hostname, this is useful, although certain hosts have the ability to make up an infinite number of false hostnames or masquerade as a legit host. Because I have several domain names on the same hosting computer/shared ip, I noticed that a couple of my domains do not log hostnames, strangely *even though* they are in subdirectories of my primary domain and inherit the master .htaccess. I tried replicating the sub .htaccess file to change from hostnames to IPs and couldn't successfully do it, although fortunately, the same malevolent hackers try to hack all of my domains, so when they do I retrieve their ip address from the sub-domain log. I get approximately 0 (zero) legitimate traffic and massive amounts of hacking traffic, so my domains now function primarily as a honeypot from which I have built a very extensive .htaccess block list. I think a lot of it comes from VPN services, and it's a bit interesting to see the patterns of how the malevolent bot managers reassess their efforts and try again. My assessment is it is a relatively smallish pool of hackers using a very large pool of hosts and IPs. I have a big write-up and sample block list at my website discussing anonymousfox, hackers and block lists.