Skip to main content
cPanel Technical Support has been heavily impacted by hurricane Beryl and our ability to respond to tickets has been hindered as a result. We appreciate your understanding and patience as we address these delays.

raw access log format - why sometimes ip and sometimes domain name?

Comments

13 comments

  • cPRex Jurassic Moderator
    Hey there! I just checked my raw access logs for the month of June for a domain that gets a good amount of traffic, and all my entries in the downloaded .gz file were IP addresses. If you have root access to the server you can submit a ticket to our team so we can check this on our end, or you could contact your hosting provider to see if they have more details about this on their end, as there haven't been any changes that I am aware of that would alter how that is displayed.
    0
  • basd
    Thank you! I previously contacted my hosting provider regarding this issue and their response was they know nothing about cpanel raw access logs, that they contract to a 3rd party. Which, I assume means cPanel. I have access to all of the raw access logs provided by cPanel in gz format, and there was a definite point in time when some (but not all) visitors began being reported in a "domain name" format. I don't know much about raw access logs, the most I could find on this is that apparently some visitors have the ability to specify the string that shows up in the logs in lieu of the IP. (But, the server response can't function without an actual IP address, as far as I know, so there must be a valid one reported to the apache server.) The most annoying part is I am now getting hackers who provide an untraceable domain name -- ie, doesn't show up in DNS search. I don't think I have what you refer to as "root access", if by that you mean access to the apache logs and the root of the computer on which my website runs. I have full access to my entire cPanel user area, including to the "logs" directory. The logs show a clear point in time when the logging changed (which coincidentally was right about the time I started blocking the heck out of the entire internet, including bingbot). I also now have another anomaly -- while the cPanel links to the "current" logs allow me to download the current logs, the links to the "archive" logs are now 404 for some reason. Yet the archive logs are all available, in the "logs" directory where they belong.
    0
  • cPRex Jurassic Moderator
    Do you know specifically when that change is on your machine? You mentioned you can see a "clear point in time" so I'm wondering if that matches up with anything here:
    0
  • basd
    I checked the link you provided, I don't see a comment that suggests there was a change in the manner of reporting. It might coincide with the June 30 updates. However, I do remember seeing logs in this format in the past, but it may have been on my prior hosting company's cPanel. So, I wonder if it is "parameter" that is given to the apache conf or something. The following is the first occurrence on my most active site : 29.51.237.35.bc.googleusercontent.com - - [01/Jul/2021:13:49:06 -0700] "GET /robots.txt HTTP/1.0" 301 241 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)". The following is an example of the bingbot spam that was occurring every 1/2 second 24/7 for days and/or months and/or years (it was an idle site that I "thought" was only displaying a static index.html, but was joomla-hacked because I did not remove the joomla code I used before the static page: 207.46.13.109 - - [01/Jul/2021:12:32:55 -0700] "GET /MzZlNTlTNDI3ODNWNmU1cDg5MzRqZTU5 HTTP/1.1" 403 228 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +
    0
  • cPRex Jurassic Moderator
    Unfortunately I can't say for sure - the machines I've checked only show the IP address, so maybe that host has some reverse DNS-based system in place that tries to correlate some IPs with domains, if possible.
    0
  • basd
    Ok, thanks for your assistance. I'm going to study apache configuration parameters. So, if I find the "switch", maybe I can ask my hosting company to ask their 3rd party manager to switch it back. Or something. (At least I have ruled out it being a cPanel issue). Thanks again.
    0
  • cPRex Jurassic Moderator
    That sounds like an excellent plan to me! I did look around in some places and I can't find exactly what that "switch" could be. Other guides out there not written by us also only make mention of the IP address option, as listed here:
    0
  • basd
    0
  • cPRex Jurassic Moderator
    Nice catch! I have to add the "solved" tag on my end, so I'll so that now!
    0
  • basd
    I wanted to add some additional information for the benefit of anyone who might be researching the issues in this thread. Hosting company says that adding hostname-based .htaccess filters will trigger hostname-lookup logging in the raw access logs. cPanel auto-adds the following, though I don't know whether this code would "count" as a trigger: RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ (See this post:
    0
  • eagleapk11
    Lookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. " Now to get my hosting company to change it back. (Apache actually recommends not turning it on because it can slow down the server.) Sorry, I don't know how to mark thread "solved"!

    Thankyou for providing this. i solved my problem. i was facing the same problem from last week but i found this thread.
    0
  • basd
    I have learned there is another aspect to this. It seems if my .htaccess has certain blocks (not sure what, but presumably hostname blocks) it will turn hostnamelookup on. For webmasters who want to have the hostnames logged and block by hostname, this is useful, although certain hosts have the ability to make up an infinite number of false hostnames or masquerade as a legit host. Because I have several domain names on the same hosting computer/shared ip, I noticed that a couple of my domains do not log hostnames, strangely *even though* they are in subdirectories of my primary domain and inherit the master .htaccess. I tried replicating the sub .htaccess file to change from hostnames to IPs and couldn't successfully do it, although fortunately, the same malevolent hackers try to hack all of my domains, so when they do I retrieve their ip address from the sub-domain log. I get approximately 0 (zero) legitimate traffic and massive amounts of hacking traffic, so my domains now function primarily as a honeypot from which I have built a very extensive .htaccess block list. I think a lot of it comes from VPN services, and it's a bit interesting to see the patterns of how the malevolent bot managers reassess their efforts and try again. My assessment is it is a relatively smallish pool of hackers using a very large pool of hosts and IPs. I have a big write-up and sample block list at
    0
  • eagleapk11
    I have learned there is another aspect to this. It seems if my .htaccess has certain blocks (not sure what, but presumably hostname blocks) it will turn hostnamelookup on. For webmasters who want to have the hostnames logged and block by hostname, this is useful, although certain hosts have the ability to make up an infinite number of false hostnames or masquerade as a legit host. Because I have several domain names on the same hosting computer/shared ip, I noticed that a couple of my domains do not log hostnames, strangely *even though* they are in subdirectories of my primary domain and inherit the master .htaccess. I tried replicating the sub .htaccess file to change from hostnames to IPs and couldn't successfully do it, although fortunately, the same malevolent hackers try to hack all of my domains, so when they do I retrieve their ip address from the sub-domain log. I get approximately 0 (zero) legitimate traffic and massive amounts of hacking traffic, so my domains now function primarily as a honeypot from which I have built a very extensive .htaccess block list. I think a lot of it comes from VPN services, and it's a bit interesting to see the patterns of how the malevolent bot managers reassess their efforts and try again. My assessment is it is a relatively smallish pool of hackers using a very large pool of hosts and IPs. I have a big write-up and sample block list at my website discussing anonymousfox, hackers and block lists.

    Thankyou for sharing. you wrote a detailed guide.
    0

Please sign in to leave a comment.