Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

weird apache log data during High Load

Discussion in 'EasyApache' started by gbh1935, Apr 15, 2008.

  1. gbh1935

    gbh1935 Active Member

    Joined:
    Jun 25, 2005
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    151
    I had an Huge load on my server today and when checking the logs that dump the apachestatus during a high load I noticed really wierd entries. See the example below


    76.166.153.37 - - [05/Apr/2008:15:29:05 -0500] "GET /profile.php?mode=register&agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5BPLM=0
    %5D%5BR%5D+GET+http://DOMAINNAME.COM/profile.php?mode=register&
    agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5B0,23769,15523%5D+-%3E+%5BR%5D
    +POST+http://DOMAINNAME.COM/profile.php+%5B0,0,16277%5D HTTP/1.0" 200 17748 "http://DOMAINNAME.COM/profile.php?mode=register&agreed=23bf84f9ac125f06c04983e1c8dab0a8
    +%5BPLM=0%5D%5BR%5D+GET+http://DOMAINNAME.COM/profile.php?mode=register&
    agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5B0,23769,15523%5D+-%3E+%5BR%5D
    +POST+http://DOMAINNAME.COM/profile.php+%5B0,0,16277%5D" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)"

    It kinda looks to me like they are trying to pass multiple requests inside a single GET to the server. Is this a hacking attempt? Any ideas on how to block it?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Looks like a phpbb spambot OR a DDOS attack. If you can track down the account getting slammed you might want to go see if they have tons of spam posts or if its a very old phpbb. We have tons of customers who install their own phpbb and never update it, often we just have to shut them down or chmod their phpbb folder until they respond to our warning they are being attacked.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice