GoogleBot Attack? 100+ Connections maxing out Apache

[anthvale]

I spent the entire day working on solving this with my host company but can't figure it out. I know NOTHING about connecting with SSH and running command lines but he gave me 1 line to run to see how many connections were being made and it's showing over 100 from Google alone.

Which is crashing something. Apache? Mod Security?...It's shutting down my entire server with multiple clients and then starting back up later on. Then staying live for some time, then shutting back down.

I upped apache to 350 and unconnected Pinterest for now and it seems to be steady but I need to get this sorted out.

If I block Google's IP address as a bandaid, for now, how bad will my rankings in the search results be damaged?

Thanks

 

[anthvale]

I'm also getting these error when looking at logs:

[Wed Jan 08 11:17:17.825906 2020] [:error] [pid 12393:tid 47092598097664] [client 173.231.244.64:34970] [client 173.231.244.64] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/apache2/conf.d/imh-modsec/01_base_rules.conf"] [line "64"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "account.domain.com"] [uri "/index.php"] [unique_id "XhYqvd6rHkZbwepYXmENCgAAAAQ"]
[Wed Jan 08 12:33:05.393958 2020] [:error] [pid 18173:tid 47223102510848] [client 103.5.150.16:57912] [client 103.5.150.16] ModSecurity: Access denied with code 406 (phase 4). Operator GT matched 0 at RESOURCE:xmlrpc_bf_block. [file "/etc/apache2/conf.d/imh-modsec/post_2.8_rules.conf"] [line "17"] [id "13504"] [msg "xmlrpc.php call failures triggered temporary block"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "XhY8gXfr-E7HWt2eKfDQKgAAABc"]
[Wed Jan 08 12:41:16.908278 2020] [:error] [pid 19818:tid 47822563010304] [client 35.239.243.107:50704] [client 35.239.243.107] ModSecurity: Access denied with code 406 (phase 4). Operator GT matched 0 at RESOURCE:xmlrpc_bf_block. [file "/etc/apache2/conf.d/imh-modsec/post_2.8_rules.conf"] [line "17"] [id "13504"] [msg "xmlrpc.php call failures triggered temporary block"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "[email protected]"]
[Wed Jan 08 12:51:45.527915 2020] [:error] [pid 20863:tid 47822518884096] [client 192.99.200.69:38376] [client 192.99.200.69] ModSecurity: Access denied with code 406 (phase 4). Operator GT matched 0 at RESOURCE:xmlrpc_bf_block. [file "/etc/apache2/conf.d/imh-modsec/post_2.8_rules.conf"] [line "17"] [id "13504"] [msg "xmlrpc.php call failures triggered temporary block"] [hostname "domain.com"] [uri "/xmlrpc.php"] [unique_id "XhZA4XuOFoCEREtGAkTHdQAAAYE"]
[Wed Jan 08 14:27:35.089615 2020] [:error] [pid 29284:tid 46988184954624] [client 73.61.86.193:61050] [client 73.61.86.193] ModSecurity: Warning. Pattern match "recaptcha" at ARGS_POST_NAMES:g-recaptcha-response. [file "/etc/apache2/conf.d/imh-modsec/40_wordpress.conf"] [line "18"] [id "13504"] [hostname "account.domain.com"] [uri "/admin/dologin.php"] [unique_id "XhZXVz4nUpA9IoSXkPZzOgAAAAU"], referer: WHMCS - Login

 

[cPanelLauren]

I spent the entire day working on solving this with my host company but can't figure it out. I know NOTHING about connecting with SSH and running command lines but he gave me 1 line to run to see how many connections were being made and it's showing over 100 from Google alone.

What's the command they gave you to run? Google shouldn't have that many connections at once, no but it is pretty normal for Google's bot to connect to the server

If I block Google's IP address as a bandaid, for now, how bad will my rankings in the search results be damaged?

I believe blocking Google in this manner would be extremely detrimental and I wouldn't advise moving forward with that plan. You can modify the frequency and what is indexed in their console though

I'm also getting these error when looking at logs:

Those are ModSecurity notices indicating that it's getting hits on specific rules and the actions it takes in conjunction with that. That number and frequency of requests though wouldn't be enough to crash a server (based on what you're showing me)

 

[Rajeeva Lochana]

I think you have this problem because someone is DDOSing your server using the GoogleBot useragent.

 

[anthvale]

@cPanelLauren

The code I was given to run was this:

netstat -nt | awk '/^tcp/ {print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -n

I set the crawl frequency to mid-low for now on some of my accounts.

@rajeevacj

I think you have this problem because someone is DDOSing your server using the GoogleBot useragent.

I was under this impression as well.

What do I do in this case?

 

[Rajeeva Lochana]

@cPanelLauren

The code I was given to run was this:



I set the crawl frequency to mid-low for now on some of my accounts.

@rajeevacj



I was under this impression as well.

What do I do in this case?

Check that IP with whois lookup, and you will know who owns it. Is 173.231.244.64 the IP that is making those requests? I see it being owned by InMotion Hosting, Inc., so it is not owned by Google, Inc.

 

[anthvale]

InMotion is my Host. I think that is a different IP than the one that was doing the crawling that day. Sorry for the confusion.

 

[Rajeeva Lochana]

What was that IP Address? Just so you know, IP is different than IP Address (Not trying to be rude).