Apache Filled with POST Requests from Server IP

Operating System & Version
CloudLinux 7
cPanel & WHM Version
v86.0.14

dswimr615

Member
Jan 9, 2014
16
0
1
cPanel Access Level
Root Administrator
We just experienced some strange behavior on one of our servers, where Apache's status page was filled with POST requests to the main (/) page of a single website. The source IP for every request, however, is/was the main IP for the server (see below image, private information blurred out) so it's not an attack, unless the attack was somehow masked to be from the server's main IP (could that happen?). Access logs show the same thing and don't reveal any more information.

f5f83ab02ef8d1ee477f.png

I couldn't find anything online or in these forums about a related incident. Does anyone have any ideas as to what might have happened or how to reveal more info if this happens again? Restarting Apache cleared all of the requests and no more spawned afterward.
 

HostNoc

Member
Feb 20, 2020
24
3
3
Ontario
cPanel Access Level
Root Administrator
Hello @dswimr615

The reason of this issue could be that any code of site could be executing the post in multiple attempts, or a contact form is being abused on a site.

I would suggest checking the site's codes, check the /etc/hosts files, the IP configuration, and also I would highly suggest running the cPanel stable version update and review EaseApache4 settings.

Regards,
 
  • Like
Reactions: cPanelLauren

dswimr615

Member
Jan 9, 2014
16
0
1
cPanel Access Level
Root Administrator
Hello @dswimr615

The reason of this issue could be that any code of site could be executing the post in multiple attempts, or a contact form is being abused on a site.

I would suggest checking the site's codes, check the /etc/hosts files, the IP configuration, and also I would highly suggest running the cPanel stable version update and review EaseApache4 settings.

Regards,
That's a good idea, I'll look around for anything that could be sending locally.

Are other requests being generated from the actual source IP address? Meaning, all requests to your server are not being shown as originating from your server's IP address correct?
Hey Lauren! That is correct, other traffic shows normally/from a variety of IPs. It was just that one burst of POST requests without any apparent target and strangely showing as from the server's main IP.
 
Thread starter Similar threads Forum Replies Date
A EasyApache 0
H EasyApache 1
cPanelPhilH EasyApache 0
S EasyApache 2
cPanelPhilH EasyApache 0