I run a demo instance of Atomic Lab’s Pion at home that I use for customer demonstrations and generally playing around.
I have been looking recently at the visitor session replay functionality and it’s fascinating to see how many people are out there just randomly scanning for vulnerabilities.
If we drill down into the headers we can see that in many cases the requests have spoofed headers, IP addresses etc
GET http://www.eduju.com/proxyheader.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
The other common request string appears to be:
GET http://188.8.131.52:7182/judge.php HTTP/1.1
All of these requests use up your server resources, but standard analytics won’t show them up, so network-level analytics like Pion are the way to go!