How can an IP address be in REMOTE_ADDR but not in Apache log

Question

Our website appears to be under attack from URLs with MySQL statements in them.

From my PHP code I access $_SERVER['REMOTE_ADDR'] to see a value of 5.39.44.16

I've tried blocking 5.39.44.16 in our firewall but with no success.

Then I look in the Apache access.log but I cannot find 5.39.44.16

How can REMOTE_ADDR show an address that has not been logged in my Apache log?
Any suggestions on the right way to handle these attacks?

Can you confirm this address using tcpdump, wireshark or some similar tool? — Hankster, May 04 '15 at 00:58

score 0 · Answer 1 · edited May 23 '17 at 12:14

Well not sure this will answer it, but perhaps give you more information to go on. It seems it can't be faked easily since it's set by the web server which is apache. However, perhaps it's using the x-forwarded-for address if it's going through a proxy? I'm not sure why it would be different in Apache versus PHP though. More info on this question: How to fake $_SERVER['REMOTE_ADDR'] variable?

score 0 · Answer 2 · answered May 04 '15 at 19:23

0

My mistake. I was looking at the wrong Apache log file.

answered May 04 '15 at 19:23

Ian

679
1
8
17

How can an IP address be in REMOTE_ADDR but not in Apache log

2 Answers2