weird apache requests

minzliu · Mar 2, 2008

hi, ive started noticing a lot of the following requests when i goto apache-status in whm

127.0.0.1 - - [02/Mar/2008:21:49:42 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:43 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:44 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:45 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:46 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:47 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:48 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:49 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:50 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:51 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:52 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:53 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:54 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:55 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:56 +1100] "OPTIONS * HTTP/1.0" 200 -
127.0.0.1 - - [02/Mar/2008:21:49:57 +1100] "OPTIONS * HTTP/1.0" 200 -

what are these requests for? how to i find out whats causing it and how do i get rid of it?

thanks

viraj · Mar 6, 2008

Hi,

I am 90% sure that this is an outbreak of an attack, which is more rather DDoS. Check netstat outputs. I'll reply more when I find something 100% sure

cpanelinfoseeker · Mar 7, 2008

I'm having a TON of these in /usr/local/apache/logs/access_log, but instead of 127.0.0.1 is is actually using an unused IP address:

unused ip - - [07/Mar/2008:12:49:10 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:11 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:12 -0500] "OPTIONS * HTTP/1.0" 200 -
unused ip - - [07/Mar/2008:12:49:24 -0500] "OPTIONS * HTTP/1.0" 200 -

(actual address removed) There could be as many as 20 with a 1 second spacing and a period of a few secoonds to a few minutes of nothing and it starts again.

In WHM Apache Status there are many similar lines using the same unused IP. These also used to show 127.0.0.1 but now show an actual IP:

17-0 - 0/0/2145 . 0.00 169 0 0.0 0.00 35.95 unused ip host.server.com OPTIONS * HTTP/1.0

I had blocked the server IP in question, but this made no difference. Since it originally had the 127.0.0.1 ip showing, I guess something changed on the server to make it use one of the real IP addrersses.

I haven't figured it out yet, but hope this helps someone with a better understanding to make some progress. My data center is also looking into this and does not think it is anthing dangerous, but can not determine what is causing these logs.

Ron

minzliu · Mar 7, 2008

hmm btw, if this makes any difference, im on a vps using virtuoso.

MindStar · Apr 30, 2008

I am seeing the same thing on my VPS.

Does anyone have any idea what is generating these requests?

Code:

::1 - - [30/Apr/2008:04:43:26 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -
::1 - - [30/Apr/2008:04:43:28 +0100] "OPTIONS * HTTP/1.0" 200 -

anton_latvia · May 7, 2008

That is you, yourself and WHM, viewing "Apache status". I suppose you run Apache 2.x? Unfortunately I don't know how to fix it.. We simply use good-old Apache 1.3.

Thread starter	Similar threads	Forum	Replies	Date
U	Apache weird load	Web Servers and Applications	3	May 13, 2015
F	Weird HTML encoding problem with PHP mail after upgrade (easyapache)	Web Servers and Applications	0	Mar 20, 2012
A	Weird problem while rebuilding APACHE config	Web Servers and Applications	0	Jan 23, 2009
S	Intermittent Apache/PHP Weirdness	Web Servers and Applications	2	May 4, 2008
G	weird apache log data during High Load	Web Servers and Applications	1	Apr 15, 2008

Search

Search

weird apache requests

minzliu

Registered

viraj

Well-Known Member

cpanelinfoseeker

Well-Known Member

minzliu

Registered

MindStar

Member

anton_latvia

Well-Known Member