The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

weird apache log data during High Load

Discussion in 'EasyApache' started by gbh1935, Apr 15, 2008.

  1. gbh1935

    gbh1935 Active Member

    Joined:
    Jun 25, 2005
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    I had an Huge load on my server today and when checking the logs that dump the apachestatus during a high load I noticed really wierd entries. See the example below


    76.166.153.37 - - [05/Apr/2008:15:29:05 -0500] "GET /profile.php?mode=register&agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5BPLM=0
    %5D%5BR%5D+GET+http://DOMAINNAME.COM/profile.php?mode=register&
    agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5B0,23769,15523%5D+-%3E+%5BR%5D
    +POST+http://DOMAINNAME.COM/profile.php+[0,0,16277] HTTP/1.0" 200 17748 "http://DOMAINNAME.COM/profile.php?mode=register&agreed=23bf84f9ac125f06c04983e1c8dab0a8
    +%5BPLM=0%5D%5BR%5D+GET+http://DOMAINNAME.COM/profile.php?mode=register&
    agreed=23bf84f9ac125f06c04983e1c8dab0a8+%5B0,23769,15523%5D+-%3E+%5BR%5D
    +POST+http://DOMAINNAME.COM/profile.php+%5B0,0,16277%5D" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)"

    It kinda looks to me like they are trying to pass multiple requests inside a single GET to the server. Is this a hacking attempt? Any ideas on how to block it?
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Looks like a phpbb spambot OR a DDOS attack. If you can track down the account getting slammed you might want to go see if they have tons of spam posts or if its a very old phpbb. We have tons of customers who install their own phpbb and never update it, often we just have to shut them down or chmod their phpbb folder until they respond to our warning they are being attacked.
     
Loading...

Share This Page