I run a smallish website that received a little bit of traffic. Today I noticed a lot of odd port scanner requests to the website in the access log.
This is a snippet of logs (ignore the internal dummy connections):
This is what a legitimate request to / looks like:
Searching these IPs on the abuse IP database shows that a lot of them have been reported in the past. Any explanation to this? Is this a small botnet? Most of the IPs are fixed line. Normally port scanners make one request and leave the site.