weird apache requests

[minzliu]

hi, ive started noticing a lot of the following requests when i goto apache-status in whm

127.0.0.1 - - [02/Mar/2008:21:49:42 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:43 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:44 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:45 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:46 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:47 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:48 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:49 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:50 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:51 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:52 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:53 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:54 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:55 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:56 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:57 +1100] "OPTIONS * HTTP/1.0" 200 -

what are these requests for? how to i find out whats causing it and how do i get rid of it?

thanks

[viraj]

Hi,

I am 90% sure that this is an outbreak of an attack, which is more rather DDoS. Check netstat outputs. I'll reply more when I find something 100% sure

[cpanelinfoseeker]

I'm having a TON of these in /usr/local/apache/logs/access_log, but instead of 127.0.0.1 is is actually using an unused IP address:

unused ip - - [07/Mar/2008:12:49:10 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:11 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:12 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:24 -0500] "OPTIONS * HTTP/1.0" 200 -

(actual address removed) There could be as many as 20 with a 1 second spacing and a period of a few secoonds to a few minutes of nothing and it starts again.

In WHM Apache Status there are many similar lines using the same unused IP. These also used to show 127.0.0.1 but now show an actual IP:

17-0 - 0/0/2145 . 0.00 169 0 0.0 0.00 35.95 unused ip host.server.com OPTIONS * HTTP/1.0

I had blocked the server IP in question, but this made no difference. Since it originally had the 127.0.0.1 ip showing, I guess something changed on the server to make it use one of the real IP addrersses.

I haven't figured it out yet, but hope this helps someone with a better understanding to make some progress. My data center is also looking into this and does not think it is anthing dangerous, but can not determine what is causing these logs.

Ron

[minzliu]

hmm btw, if this makes any difference, im on a vps using virtuoso.

[MindStar]

I am seeing the same thing on my VPS.

Does anyone have any idea what is generating these requests?

Code:

::1 - - [30/Apr/2008:04:43:26 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -

[anton_latvia]

That is you, yourself and WHM, viewing "Apache status". I suppose you run Apache 2.x? Unfortunately I don't know how to fix it.. We simply use good-old Apache 1.3.