Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2004
    Posts
    59

    is this an attack? can I do something?

    snippet from the Apache logs:

    White Box Enterprise Linux
    Pentium 4
    Single Domain on the entire server.
    Apache 1.3.34
    PHP 4.4.1
    DirectAdmin control panel


    84.94.129.43 - - [29/Nov/2005:20:09:40 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    62.0.180.38 - - [29/Nov/2005:20:11:06 +0200] "GET /forums HTTP/1.1" 301 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    62.0.180.38 - - [29/Nov/2005:20:11:12 +0200] "GET /forums HTTP/1.1" 301 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    62.0.80.18 - - [29/Nov/2005:20:13:17 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    62.0.180.38 - - [29/Nov/2005:20:13:40 +0200] "GET /forums HTTP/1.1" 301 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    82.81.139.92 - - [29/Nov/2005:20:14:32 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    62.0.80.18 - - [29/Nov/2005:20:14:39 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    85.64.67.73 - - [29/Nov/2005:20:14:57 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    80.230.81.15 - - [29/Nov/2005:20:15:21 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    84.94.6.81 - - [29/Nov/2005:20:15:25 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    81.218.63.59 - - [29/Nov/2005:20:15:32 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    82.81.79.96 - - [29/Nov/2005:20:15:55 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    84.110.75.157 - - [29/Nov/2005:20:16:05 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
    87.68.52.178 - - [29/Nov/2005:20:16:04 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    209.237.238.179 - - [29/Nov/2005:20:16:09 +0200] "GET /forums/member.php?amp;u=3145 HTTP/1.0" 200 - "-" "ia_archiver"
    84.94.129.43 - - [29/Nov/2005:20:16:08 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    80.230.81.15 - - [29/Nov/2005:20:16:15 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    80.230.81.15 - - [29/Nov/2005:20:16:19 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    80.230.81.15 - - [29/Nov/2005:20:16:28 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    84.109.133.221 - - [29/Nov/2005:20:16:19 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; he-IL; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
    81.218.63.59 - - [29/Nov/2005:20:16:22 +0200] "GET / HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    62.0.180.38 - - [29/Nov/2005:20:16:33 +0200] "GET /forums HTTP/1.1" 301 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    Is this an attack?
    Is there a way to block it?

  2. #2
    Join Date
    Aug 2002
    Location
    Superior, CO, USA
    Posts
    633
    Do you mean the GET's for / or /forums with no referrer? It is likely that this is a probe for things like your O/S and Apache version and looking for unpatched software.

    They aren't too frequent for you - I personally wouldn't worry about it if you are pretty vigilant with updates and so on. If you wanted to you could use mod_security to filter this kind of stuff out but that would be up to you.
    Need Java help? Want to help people who do? Sit down with a cup of Java at the hotjoe forums.

  3. #3
    Join Date
    Jul 2003
    Location
    Connecticut
    Posts
    3,038
    Is that the whole log or just a snippet?

  4. #4
    Join Date
    Dec 2004
    Posts
    59
    well.. this is just a snippet.
    someone is really pulling heavy duty attacks on my domain/server, so big that the NOC had to shut my IP down!
    We re-opened the IP back,. but with blocking of practically world access except my country.
    WITH THAT,. my load is running at about 0.20.
    However, today.. at 20:00,. the attack was again, the load got up to.. ready?...

    1,003.0

    It took me about 5 minutest till my SSH prompt allowed me to kill apache.
    Since it got killed,. the load has dropped down again to 0.xx.
    So I started looking at the logs of today,. and saw that repeating occurance of no data in the GET,. and figured,. ok.. maybe this is some sort of an attack.
    Perhaps this is not it,. and I should be looking further down.

    Well,.. I looked further down, and didn't see anything that was standing out other than lots of those entries.

    If that is not the source of the problem, I just don't know what else to look at.

    This is the error_log

    [Tue Nov 29 20:02:44 2005] [notice] child pid 2364 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:04:40 2005] [notice] child pid 2362 exit signal Segmentation fault (11)
    [Tue Nov 29 20:05:15 2005] [error] server reached MaxClients setting, consider raising the MaxClients setting
    [Tue Nov 29 20:07:11 2005] [notice] child pid 2821 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:10:35 2005] [notice] child pid 2724 exit signal Segmentation fault (11)
    [Tue Nov 29 20:10:50 2005] [notice] child pid 2718 exit signal Segmentation fault (11)
    [Tue Nov 29 20:11:13 2005] [notice] child pid 3255 exit signal Segmentation fault (11)
    [Tue Nov 29 20:11:28 2005] [notice] child pid 3154 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:13:51 2005] [notice] child pid 3378 exit signal Segmentation fault (11)
    [Tue Nov 29 20:14:04 2005] [notice] child pid 3320 exit signal Segmentation fault (11)
    [Tue Nov 29 20:15:10 2005] [notice] child pid 2361 exit signal Segmentation fault (11)
    [Tue Nov 29 20:15:53 2005] [notice] child pid 3157 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:18:07 2005] [notice] child pid 3263 exit signal Segmentation fault (11)
    [Tue Nov 29 20:19:46 2005] [notice] child pid 3256 exit signal Segmentation fault (11)
    [Tue Nov 29 20:20:12 2005] [notice] child pid 3264 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:22:53 2005] [notice] child pid 3249 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    free(): invalid pointer 0x8525d30!
    [Tue Nov 29 20:23:38 2005] [notice] child pid 3159 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:24:09 2005] [notice] child pid 3113 exit signal Segmentation fault (11)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    Allowed memory size of 8388608 bytes exhausted (tried to allocate 2 bytes)
    [Tue Nov 29 20:25:00 2005] [notice] child pid 3163 exit signal Segmentation fault (11)
    Is there any indication here?

  5. #5
    Join Date
    Jul 2003
    Location
    Connecticut
    Posts
    3,038
    Can you run this command and output the data here?


    netstat -n | grep :80 |wc -l

  6. #6
    Join Date
    Dec 2004
    Posts
    59
    netstat -n | grep :80 |wc -l
    2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •