The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apache attack?

Discussion in 'EasyApache' started by fizz, Apr 7, 2010.

  1. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    I have one site in particular that was getting slaughtered. I have a really beefy box, i dont have a capture of the apache-status, but when it would load, it would take about 30 seconds to even load. using top, or tload, the box wasnt even near 100%.

    Upon inspection, found that the vast majority of requests coming in where like this.

    Code:
    151.82.31.54 - - [07/Apr/2010:14:12:37 -0400] "GET /travel.shtml HTTP/1.1" 200 21357 "http://216.133.243.28/2.php?sid=7979&keyword=handy+manny+tool+names&goto=5aa4f23dd49b5ebd0680253397829f12-ws4fUUFUww%09wSw.us.Fw.Sk%09%09R_aNfw%094343%092jLo0%2BQjLL0%2Bvtti%2BLjQIN%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwswsFu3u%26Wai%3D2vvR%25Fj%25sO%25sOjoNIaYIa%25sIjovIE2WN%25sIEtQ%25sO%25FOjoiqLH%254EF%25sIf%254ESsFf%254EwwkwFSu%254Ew%254EwU%254Ehogo%25FoufkFFk%25FA5Lgo%25Fow%25FAiqLH%25Fo2vvR%25Fj%25sO%25sOnnn%25sINjLqAIiQttaqLzN%25sIEtQ%25sOvajYIi%25sIN2vQi%26joY_Nqo%3DsFUSs%26joY_qo%3DwfUwf%26v0RI%3DatL%26ovN%3Dsfwf_fk_f4_ww_fU_Sw%26i2L%3Dnj0sS%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Df%26QtoI%3DOqbIo%26oA2L%3Dw3s.wUu.wf.wUU%09f.fw%09sFUSs%09w%09FSSuu_F33S%09%09w%09gvji0%09gl%09nnn.rjLqAIimttaqLzN.EtQ%09nj0sS-kAAEEjjwAuOEu%09mtXqiij%25s6k.f%25sf%25suEtQRjvqAiI%25F5%25sfmrgp%25sfU.f%25F5%25sfCqLotnN%25sfDl%25sfS.w%25F5%25sfrKw%25F5%25sf.Dpl%25sf7Ve%25sfs.f.Sf4s4%25F5%25sf.Dpl%25sf7Ve%25sfF.f.fkSfU.Uku%25F5%25sf.Dpl%25sf7Ve%25sfF.S.swfss%25s3&objTimStr=0.75790500+1270663841" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
    77.195.81.136 - - [07/Apr/2010:14:12:54 -0400] "GET /travel.shtml HTTP/1.1" 200 21357 "http://216.133.243.28/2.php?sid=6212&keyword=weber+county+jail&goto=8d8811c672bf8a9967afbc25e76a0abb-ws4fUUFu4w%0944.w3S.uw.wFU%09%09R_aNfw%09Usws%09nIAIa%2BEtWLv0%2B1jqi%09OqLotitz0atNI%092vvR%3A%2F%2Fnnn.OqLotitz0.EtQ%2FAqoEiqEH.R2R%3FAqo_qo%3DwswsFu3u%26Wai%3D2vvR%25Fj%25sO%25sOjoNIaYIa%25sIjovIE2WN%25sIEtQ%25sO%25FOjoiqLH%254EF%25sIf%254ESsFf%254EwwkwFSu%254Ew%254EwU%254Ehogo%25FoufkFFk%25FA5Lgo%25Fow%25FAiqLH%25Fo2vvR%25Fj%25sO%25sOnnn%25sINjLqAIiQttaqLzN%25sIEtQ%25sOvajYIi%25sIN2vQi%26joY_Nqo%3DsFUSs%26joY_qo%3DwfUwf%26v0RI%3DatL%26ovN%3Dsfwf_fk_f4_ww_ww_ww%26i2L%3Dnj0S%26atL_WLqMWI%3Df%26aIoqaIEv_Wai%3D%26AitEH_joWiv%3Df%26QtoI%3DOqbIo%26oA2L%3DoAu%09f.fw%09sFUSs%09w%09FFfU3_Ssff4%09%09w%096ajLEI%096e%09nnn.rjLqAIimttaqLzN.EtQ%09nj0S-kAAEEjoFoAuFs%09mtXqiij%2Fk.f+%28EtQRjvqAiI%3B+mrgp+4.f%3B+CqLotnN+Dl+U.w%3B+CTCUk%3B+laqoILv%2Fk.f%3B+rV77s%3B+.Dpl+7Ve+s.f.Sf4s4%3B+.Dpl+7Ve+F.S.Ff4s3%3B+.Dpl+7Ve+F.f.Ff4s3%3B+mIoqj+7ILvIa+c7+U.f%3B+IrtAqrWANEaqAIa+s.f.k.wU%29&objTimStr=0.89942900+1270663891" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; eSobiSubscriber 2.0.4.16)"
    
    
    The source IP was different every time, but that request string on the right has me a bit confused..

    Any ideas whats going on here?


    This is current (working fine)
    Code:
    78.7 requests/sec - 1.4 MB/second - 17.9 kB/request
    18 requests currently being processed, 8 idle workers
    CW_W.WCW_CW_WWWC_...C..WW._..W_._W....W_........................
    ................................................................
    ................................................................
    ................................................................
    However, during the attack, it was mainly CRW and no .. at all. It was also doing 186 request/sec and like 200 being processed.


    thanks
     
    #1 fizz, Apr 7, 2010
    Last edited: Apr 7, 2010
  2. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    No, it has since stopped, but I am keeping a close eye on it.
     
  3. MikeDVB

    MikeDVB Well-Known Member
    PartnerNOC

    Joined:
    Jun 4, 2008
    Messages:
    212
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Indiana, USA
    Sounds like a small get flood to me - Apache is pretty vulnerable to it unless you highly optimize it and even then a big enough flood can cause Apache problems in a hurry.

    Is the issue still happening?
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    And the question is exactly?

    Was it an attack?

    -- Certainly looks like it

    Is it dangerous?

    -- Chances are it won't do another other than load your server unless you have an exploitable script in which case you have other issues. I would have to see the logs and the account files where the requests were being made to tell you anything more definitively concrete.

    Either way, it is important that you limit such activity from your server and looking at basic items such as a good firewall such as CSF along with SuHosin (very good for this specifically), Mod_Security, and even mod_evasive would be a great step in the right direction.

    Looking at your quoted status page and description of your activity, I suspect that your server could probably use a bit of performance tuning as well.
     
Loading...

Share This Page