About every two seconds I am getting:
[Sat Feb 19 19:00:01 2011] [error] [client 69.239.204.217] script '/var/www
/html/forum.php' not found or unable to stat
[Sat Feb 19 19:00:04 2011] [error] [client 69.239.204.217] File does not exist: /var/www/html/404.shtml
..in my /var/log/httpd/error_log file.
Sometimes the request will be for forum_asp.php.
I'm assuming its a bot trying to access insecure forum files, but I'm not so sure since it appears each is a unique IP and not just a few rouge IPs hitting it consecutively. And whois results of the ip's aren't all the classic ISP in Russia or China, they are more end user address (comcast, etc).
Any insight into whats going on here would be appreciated.
Also, any techniques people use to do a "live monitor" of web traffic would be appreciated. Right now I'm doing a:
tail -f error_log
Thanks.
This traffic is most likely someone running automated exploit scans on your netblock. If you like writing regular expressions, you can setup Fail2Ban to scan your apache logs and setup dynamic firewalls to block people who excessively generate lots of 404 errors:
http://www.fail2ban.org/wiki/index.php/Apache
For your second question about monitoring a live system, check out one or all of the following:
(debian/ubuntu)