The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

weird apache requests

Discussion in 'EasyApache' started by minzliu, Mar 2, 2008.

  1. minzliu

    minzliu Registered

    Joined:
    Sep 25, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    hi, ive started noticing a lot of the following requests when i goto apache-status in whm

    127.0.0.1 - - [02/Mar/2008:21:49:42 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:43 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:44 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:45 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:46 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:47 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:48 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:49 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:50 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:51 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:52 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:53 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:54 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:55 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:56 +1100] "OPTIONS * HTTP/1.0" 200 -
    127.0.0.1 - - [02/Mar/2008:21:49:57 +1100] "OPTIONS * HTTP/1.0" 200 -

    what are these requests for? how to i find out whats causing it and how do i get rid of it?

    thanks
     
  2. viraj

    viraj Well-Known Member

    Joined:
    Sep 28, 2006
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    I am 90% sure that this is an outbreak of an attack, which is more rather DDoS. Check netstat outputs. I'll reply more when I find something 100% sure :)
     
  3. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    323
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    I'm having a TON of these in /usr/local/apache/logs/access_log, but instead of 127.0.0.1 is is actually using an unused IP address:

    unused ip - - [07/Mar/2008:12:49:10 -0500] "OPTIONS * HTTP/1.0" 200 -
    unused ip - - [07/Mar/2008:12:49:11 -0500] "OPTIONS * HTTP/1.0" 200 -
    unused ip - - [07/Mar/2008:12:49:12 -0500] "OPTIONS * HTTP/1.0" 200 -
    unused ip - - [07/Mar/2008:12:49:24 -0500] "OPTIONS * HTTP/1.0" 200 -

    (actual address removed) There could be as many as 20 with a 1 second spacing and a period of a few secoonds to a few minutes of nothing and it starts again.

    In WHM Apache Status there are many similar lines using the same unused IP. These also used to show 127.0.0.1 but now show an actual IP:

    17-0 - 0/0/2145 . 0.00 169 0 0.0 0.00 35.95 unused ip host.server.com OPTIONS * HTTP/1.0

    I had blocked the server IP in question, but this made no difference. Since it originally had the 127.0.0.1 ip showing, I guess something changed on the server to make it use one of the real IP addrersses.

    I haven't figured it out yet, but hope this helps someone with a better understanding to make some progress. My data center is also looking into this and does not think it is anthing dangerous, but can not determine what is causing these logs.

    Ron
     
  4. minzliu

    minzliu Registered

    Joined:
    Sep 25, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    hmm btw, if this makes any difference, im on a vps using virtuoso.
     
  5. MindStar

    MindStar Member

    Joined:
    Mar 29, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    I am seeing the same thing on my VPS.

    Does anyone have any idea what is generating these requests?

    Code:
    ::1 - - [30/Apr/2008:04:43:26 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
    ::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
     
  6. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    That is you, yourself and WHM, viewing "Apache status". I suppose you run Apache 2.x? Unfortunately I don't know how to fix it.. We simply use good-old Apache 1.3.
     
Loading...

Share This Page