NetShapersInc

Member
Apr 13, 2012
22
1
51
cPanel Access Level
Root Administrator
I cannot seem to get our machine to dump the POST data to the error logs. We are doing this due to a heavy amount of most likely (99% sure) malicious attacks against one of our user's website. They are constantly up to 5 times a second sending POST requests to the website. This is a non-stop thing. An example:

151.75.212.143 - - [31/Jul/2013:16:25:38 -0500] "POST / HTTP/1.1" 200 30757 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

We've tried doing this, using these lines in our HTTPD.conf:

DumpIOInput On
DumpIOLogLevel debug
DumpIOOutput On

And by default, the error log line is set to -> ErrorLog "logs/error_log".

We've checked in that log file, numerous times, while attacks are going on, and it doesn't log anything to it. Am I missing something here or is there an issue with Dump_IO and cPanel? We've made sure that easyApache installed the dumpio_module.

Any help would be very much appreciated! Thanks!

Software specs/versions:
WHM 11.38.1 (build 15) VPS Optimized
[email protected][*] [/usr/local/apache/conf]# uname -a
Linux [*].[*].com 2.6.32-220.7.1.el6.i686 #1 SMP Tue Mar 6 21:21:22 GMT 2012 i686 i686 i386 GNU/Linux

Server version: Apache/2.2.25 (Unix)
Server built: Jul 30 2013 16:48:44
Cpanel::Easy::Apache v3.20.6 rev9999

PHP 5.3.27 (cli) (built: Jul 30 2013 16:56:53)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies

[email protected][*] [/usr/local/apache/conf]# apachectl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
dumpio_module (static)
include_module (static)
filter_module (static)
log_config_module (static)
logio_module (static)
env_module (static)
expires_module (static)
headers_module (static)
unique_id_module (static)
setenvif_module (static)
version_module (static)
proxy_module (static)
proxy_connect_module (static)
proxy_ftp_module (static)
proxy_http_module (static)
proxy_scgi_module (static)
proxy_ajp_module (static)
proxy_balancer_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
status_module (static)
autoindex_module (static)
asis_module (static)
info_module (static)
suexec_module (static)
cgi_module (static)
negotiation_module (static)
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
bwlimited_module (shared)
php5_module (shared)
security2_module (shared)
Syntax OK
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

What method are you using to edit your Apache configuration file? Also, do you have any "LogLevel" entries in your Apache configuration file? You may want to try disabling any such entries and restart Apache to see if that makes a difference.

Thank you.
 

NetShapersInc

Member
Apr 13, 2012
22
1
51
cPanel Access Level
Root Administrator
Hello :)

What method are you using to edit your Apache configuration file? Also, do you have any "LogLevel" entries in your Apache configuration file? You may want to try disabling any such entries and restart Apache to see if that makes a difference.

Thank you.
Michael,

Thanks, that did it for the most part. However, we still cannot see exactly what they are sending in... It's continually jumbled and un-readable.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I believe that's the intention of the debug mode associated with that module. Have you considered installing a software or hardware firewall to mitigate the attack itself?

Thank you.