Yes, the Internet is a War Zone
Here's a sample report of the numbers and types of attacks a server that gets about 400k requests/day experience...at least, it did before I blocked about 200 countries (the service is very specific to the US/CA/UK).
This report covers a 9 days period. It only covers web based attacks and not attacks on other ports or brute force attacks.
512,815 SQL Injection Attack Detected via libinjection
6,567 Remote Command Execution: Windows Command Injection
1,394 Detects conditional SQL injection attempts
1,349 HTTP Response Splitting Attack
1,268 IE XSS Filters - Attack Detected.
922 NoScript XSS InjectionChecker: HTML Injection
909 XSS Attack Detected via libinjection
838 Request Missing a Host Header
561 Remote Command Execution: Unix Shell Expression Found
516 XSS Filter - Category 4: Javascript URI Vector
286 Node-Validator Blacklist Keywords
219 XSS Filter - Category 3: Attribute Vector
164 Inbound Anomaly Score Exceeded (Total ...) ...
90 Path Traversal Attack (/../)
73 Remote Command Execution: Windows FOR/IF Command Found
62 Host header is a numeric IP address
62 Found User-Agent associated with security scanner
61 URL Encoding Abuse Attack Attempt
52 Remote Command Execution: Direct Unix Command Execution
44 Remote Command Execution: Unix Command Injection
34 Detects concatenated basic SQL injection and SQLLFI attempts
30 HTTP Request Smuggling Attack
28 SQL Injection Attack: Common DB Names Detected
25 Restricted File Access Attempt
22 Detects MySQL and PostgreSQL stored procedure/function injections
21 OS File Access Attempt
15 NoScript XSS InjectionChecker: Attribute Injection
14 US-ASCII Malformed Encoding XSS Filter - Attack Detected.
13 XSS Filter - Category 1: Script Tag Vector
13 URL file extension is restricted by policy
11 PHP Information Leakage
11 Correlated Successful Attack Identified: (Total ...) ...
10 Remote Command Execution: Unix Shell Code Found
10 PHP Injection Attack: High-Risk PHP Function Call Found
9 mysql SQL Information Leakage
9 Looking for basic sql injection. Common attack string for mysql, oracle and others.
9 Detects MSSQL code execution and information gathering attempts
8 Method is not allowed by policy
7 PHP Injection Attack: Configuration Directive Found
7 Directory Listing
4 POST request missing Content-Length Header.
3 postgres SQL Information Leakage
2 PHP source code leakage
2 PHP Injection Attack: Serialized Object Injection
2 Multiple/Conflicting Connection Header Data Found.
2 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
1 Outbound Anomaly Score Exceeded (score 13): PHP source code leakage
1 GET or HEAD Request with Body Content.
1 Empty User Agent Header
Maybe it's time for you to have a security audit??