The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Accidental DOS Attack from Chrome?

Discussion in 'Security' started by jcwacky, Jan 11, 2012.

  1. jcwacky

    jcwacky Member

    Joined:
    Sep 4, 2002
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I'm running WHM 11.30.5 on a 2GB Rackspace Cloud Server.

    On Monday I received notification that my websites were unavailable. I could log in to WHM fine, so I checked the Server Status, it showed that RAM was maxed, and CPU was extremely high. When I tried the Apache Status page it just gave a message along the lines of it failing to connect to Apache.

    I rebooted the server, but when it came back up CPU and RAM were still maxed. RAM is normally at < 50%.

    After about 30 mins, it all went back to normal.

    I then came across something in the Apache logs for one of my sites, that may have caused this. It seemed like the homepage of the site was getting hundreds of requests per second from a single IP address.

    Code:
    ...
    95.111.X.XXX - - [09/Jan/2012:17:35:49 +0000] "GET / HTTP/1.1" 500 5564 "http://www.MYDOMAIN.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
    95.111.X.XXX - - [09/Jan/2012:17:35:49 +0000] "GET / HTTP/1.1" 500 5564 "http://www.MYDOMAIN.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
    95.111.X.XXX - - [09/Jan/2012:17:35:49 +0000] "GET / HTTP/1.1" 500 5564 "http://www.MYDOMAIN.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
    ...
    Initially I presumed this was a DOS attack. I've never had one before.

    However, there are 2 things that make me wonder if this "attack" was an accident:
    1. The user agent string for the requests was for Google Chrome:
    Code:
    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
    2. I then blocked the IP address in CloudFlare and CSF, and almost instantly had the user contact us and ask why he couldn't get on the site as it said his IP address was blocked. I asked for his IP and it matched the one the "attack" was from. He also seemed to be a regular user of our site, and had a members account.

    So I'm starting to wonder if his computer performed this "attack" accidentally without him knowing.

    Any thoughts?

    I'd like to know what could have caused this attack, and any suggestions for protecting myself from similar things in the future.

    Many Thanks
    James

    Here is a copy of the log entries during the "attack", I've masked the IP address of the user and our domain: [Apache Log] 82.69.137.178 - - [09/Jan/2012:17:20:45 +0000] "POST /Security/ping HTTP/1.1" 20 - Pastebin.com
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page