昨日 mod_evasive の設定を変えたばかりですが、今日もまた1件報告がありました。
mod_evasive が反応すると、ログにIPアドレスを残します。 そのIPアドレスで、Apache のアクセスログを検索すると、当該時刻に記録が残っていました。
[25/Feb/2010:10:41:10 +0900] "GET /cgi-bin/daycount/daycount.cgi?1 HTTP/1.1" 200 1650
[25/Feb/2010:10:41:10 +0900] "GET /cgi-bin/daycount/daycount.cgi?3 HTTP/1.1" 200 910
[25/Feb/2010:10:41:10 +0900] "GET /cgi-bin/daycount/daycount.cgi?2 HTTP/1.1" 200 976
[25/Feb/2010:10:41:11 +0900] "GET /cgi-bin/daycount/daycount.cgi?2 HTTP/1.1" 200 976
[25/Feb/2010:10:41:11 +0900] "GET /cgi-bin/daycount/daycount.cgi?3 HTTP/1.1" 200 910
[25/Feb/2010:10:41:11 +0900] "GET /cgi-bin/daycount/daycount.cgi?1 HTTP/1.1" 200 1650
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?1 HTTP/1.1" 200 1650
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?3 HTTP/1.1" 200 910
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?2 HTTP/1.1" 200 976
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?1 HTTP/1.1" 403 231
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?3 HTTP/1.1" 403 231
[25/Feb/2010:10:41:12 +0900] "GET /cgi-bin/daycount/daycount.cgi?2 HTTP/1.1" 200 976
[25/Feb/2010:10:41:13 +0900] "GET /cgi-bin/daycount/daycount.cgi?2 HTTP/1.1" 403 231
[25/Feb/2010:10:41:13 +0900] "GET /cgi-bin/daycount/daycount.cgi?3 HTTP/1.1" 200 910
[25/Feb/2010:10:41:13 +0900] "GET /cgi-bin/daycount/daycount.cgi?1 HTTP/1.1" 200 1650というわけで、犯人はカウンタのCGIプログラムでした。
おそらくブラウザ(Firefox 3.5.8でした)の先読み機能が、カウンタのCGIを叩いたのでしょうね。
とりあえず、DOSPageCount の値を10に増やしておきました。 逆に DOSSiteCount の方は、50に戻しました。