JeffPaetkau

Member
May 5, 2014
13
0
1
cPanel Access Level
Root Administrator
Hi,

One of my servers went down this afternoon. Investigation revealed that one of the sites on the server, (a Wordpress site) was getting inundated with requests for:

/http://www.domain.ca/%3Cmpjsp/%3E

All the requests came from the same IP. A reverse lookup suggests that the IP is local to the market the site serves. Does anyone have any idea what would cause this? What steps can I take to ensure that a similar event doesn't take down the server?

Thanks in advance for any guidance.

Jeff Paetkau
 
Last edited by a moderator:

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
Just because the IP is in line with the type of traffic you might expect doesn't mean it was a legitimate access attempt. I'm also not sure that anyone here can tell you exactly what was going on based on the information provided. If the Apache access logs haven't rotated yet, maybe take a look to see if anything obvious stands out. Also, that URL looks a little weird - is it even valid? (I'm aware a moderator removed the domain - I'm talking about the path after it)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello :)

It's likely a good idea to block the IP address for the time being if it's bringing your server down. You can install a third-party firewall management utility such as CSF in order to block an IP address from accessing your server. At that point, you can investigate to determine why that IP address was initiating that type of traffic.

Thank you.
 

JeffPaetkau

Member
May 5, 2014
13
0
1
cPanel Access Level
Root Administrator
"Just because the IP is in line with the type of traffic you might expect doesn't mean it was a legitimate access attempt."

True but it does raise suspicion that something else is going one.


"If the Apache access logs haven't rotated yet, maybe take a look to see if anything obvious stands out."

Ya, I did that. Simply thousands of requests for:

/<mpjsp/>

No POSTS, no obvious hacking attempts, nothing.


"Also, that URL looks a little weird - is it even valid?"

It is VERY weird. Wordpress doesn't know what to do with it and simply redirects the request to the main page. A Google search turns up nothing. That is why I am asking here, I was hoping someone might recognize it.


"It's likely a good idea to block the IP address for the time being if it's bringing your server down."

It appears that it only brought it down due to volume. As best I can tell the particular request doesn't do anything malicious. After suspending the site for 10 minutes the requests stopped.


"You can install a third-party firewall management utility such as CSF in order to block an IP address from accessing your server."

Is there anyway to configure cPanel to auto-block an IP after a set number of requests per minute/hour/day? Even if we assume this particular incident was malicious (I'm not convinced either way at this point) and block the IP that does nothing to prevent future attacks from any other IP address. I would need something that could detect and auto-ban unusual traffic levels.


"At that point, you can investigate to determine why that IP address was initiating that type of traffic.

To this point that investigation has come up blank which is why I am posting here. Any suggestions are most welcome, including suggestions of a better place to ask the question.


Thank you.

Jeff Paetkau
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Is there anyway to configure cPanel to auto-block an IP after a set number of requests per minute/hour/day? Even if we assume this particular incident was malicious (I'm not convinced either way at this point) and block the IP that does nothing to prevent future attacks from any other IP address. I would need something that could detect and auto-ban unusual traffic levels.
There are no native features with cPanel that will automatically block IP addresses based on number of requests. This should be handled by a third-party application, a firewall, or custom Apache configuration rules.

Thank you.