The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Went Down

Discussion in 'Security' started by JeffPaetkau, May 5, 2014.

  1. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    One of my servers went down this afternoon. Investigation revealed that one of the sites on the server, (a Wordpress site) was getting inundated with requests for:

    /http://www.domain.ca/%3Cmpjsp/%3E

    All the requests came from the same IP. A reverse lookup suggests that the IP is local to the market the site serves. Does anyone have any idea what would cause this? What steps can I take to ensure that a similar event doesn't take down the server?

    Thanks in advance for any guidance.

    Jeff Paetkau
     
    #1 JeffPaetkau, May 5, 2014
    Last edited by a moderator: May 5, 2014
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Just because the IP is in line with the type of traffic you might expect doesn't mean it was a legitimate access attempt. I'm also not sure that anyone here can tell you exactly what was going on based on the information provided. If the Apache access logs haven't rotated yet, maybe take a look to see if anything obvious stands out. Also, that URL looks a little weird - is it even valid? (I'm aware a moderator removed the domain - I'm talking about the path after it)
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's likely a good idea to block the IP address for the time being if it's bringing your server down. You can install a third-party firewall management utility such as CSF in order to block an IP address from accessing your server. At that point, you can investigate to determine why that IP address was initiating that type of traffic.

    Thank you.
     
  4. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    "Just because the IP is in line with the type of traffic you might expect doesn't mean it was a legitimate access attempt."

    True but it does raise suspicion that something else is going one.


    "If the Apache access logs haven't rotated yet, maybe take a look to see if anything obvious stands out."

    Ya, I did that. Simply thousands of requests for:

    /<mpjsp/>

    No POSTS, no obvious hacking attempts, nothing.


    "Also, that URL looks a little weird - is it even valid?"

    It is VERY weird. Wordpress doesn't know what to do with it and simply redirects the request to the main page. A Google search turns up nothing. That is why I am asking here, I was hoping someone might recognize it.


    "It's likely a good idea to block the IP address for the time being if it's bringing your server down."

    It appears that it only brought it down due to volume. As best I can tell the particular request doesn't do anything malicious. After suspending the site for 10 minutes the requests stopped.


    "You can install a third-party firewall management utility such as CSF in order to block an IP address from accessing your server."

    Is there anyway to configure cPanel to auto-block an IP after a set number of requests per minute/hour/day? Even if we assume this particular incident was malicious (I'm not convinced either way at this point) and block the IP that does nothing to prevent future attacks from any other IP address. I would need something that could detect and auto-ban unusual traffic levels.


    "At that point, you can investigate to determine why that IP address was initiating that type of traffic.

    To this point that investigation has come up blank which is why I am posting here. Any suggestions are most welcome, including suggestions of a better place to ask the question.


    Thank you.

    Jeff Paetkau
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no native features with cPanel that will automatically block IP addresses based on number of requests. This should be handled by a third-party application, a firewall, or custom Apache configuration rules.

    Thank you.
     
  6. ponies

    ponies Registered

    Joined:
    Jul 2, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Califoria
    cPanel Access Level:
    Root Administrator
    @JeffPaetkau

    I'm seeing that tag as well, did you ever figure out what it's on about?
     
Loading...

Share This Page