Apache :: Web Server Gettin Slammed Help Please

potman100 · Joined: 06 May 2006 Posts: 5

Hi

Seems Ive upset someone and heres a few lines from my access log :

87.240.144.34 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?3995167=3995167 HTTP/1.0" 403 291
85.226.163.207 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=491294112 HTTP/1.1" 403 291
62.252.224.17 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=015075106 HTTP/1.1" 403 289
62.194.5.113 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?4021145=4021145 HTTP/1.1" 403 291
213.249.231.35 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=466537924 HTTP/1.1" 403 291
196.40.43.218 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?3867481=3867481 HTTP/1.1" 403 291
24.226.164.248 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=467529417 HTTP/1.1" 403 289
84.57.164.4 - - [06/May/2006:08:36:24 -0700] "GET /index.php?9090083=9090083 HTTP/1.1" 403 289
85.166.215.236 - - [06/May/2006:08:36:22 -0700] "GET /paymentfailed.php HTTP/1.1" 200 18382
63.194.248.74 - - [06/May/2006:08:36:24 -0700] "GET /paymentfailed.php HTTP/1.1" 200 16411
213.214.207.62 - - [06/May/2006:08:36:24 -0700] "GET /index.php?5646167=5646167 HTTP/1.1" 403 289
72.57.193.84 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=014519354 HTTP/1.1" 403 291
62.131.109.173 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=076414357 HTTP/1.1" 403 291
85.48.134.178 - - [06/May/2006:08:36:24 -0700] "GET /index.php?8378819=8378819 HTTP/1.1" 403 289
84.30.212.160 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=268563178 HTTP/1.1" 403 289
80.4.224.7 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=251056255 HTTP/1.1" 403 289
81.153.221.139 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=022886452 HTTP/1.1" 403 291
83.225.147.53 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=282911118 HTTP/1.1" 403 291
195.93.21.38 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=727881621 HTTP/1.1" 403 291
82.154.162.220 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=206942246 HTTP/1.1" 403 291
81.215.229.225 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?5194163=5194163 HTTP/1.1" 403 291
85.124.75.85 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=572494406 HTTP/1.1" 302 -
83.108.201.30 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=986328905 HTTP/1.1" 302 -
69.66.87.121 - - [06/May/2006:08:36:23 -0700] "GET /anotify.php?fuckyou=831093031 HTTP/1.1" 302 -
82.65.32.92 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=217257520 HTTP/1.1" 403 289
68.202.54.17 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?8955308=8955308 HTTP/1.1" 200 8423
200.195.53.135 - - [06/May/2006:08:36:24 -0700] "GET /index.php?2517431=2517431 HTTP/1.0" 403 289
195.93.21.10 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=828452340 HTTP/1.1" 403 291
85.124.75.85 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?2418504=2418504 HTTP/1.1" 200 8423
70.82.251.3 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=680299710 HTTP/1.1" 403 291
80.177.154.49 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=921625544 HTTP/1.1" 302 -
82.3.32.74 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?0489366=0489366 HTTP/1.1" 403 291
80.202.132.36 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=181659222 HTTP/1.1" 403 291
190.10.0.10 - - [06/May/2006:08:36:24 -0700] "GET /paymentfailed.php HTTP/1.1" 200 18382
80.177.154.49 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?7854440=7854440 HTTP/1.1" 200 8423
80.223.254.82 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=168685874 HTTP/1.1" 403 289
86.81.20.95 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=336709703 HTTP/1.1" 403 289
89.146.136.181 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=405900066 HTTP/1.1" 403 289
142.167.12.33 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=572029257 HTTP/1.1" 403 291
87.203.255.194 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?5512587=5512587 HTTP/1.1" 403 291
151.50.74.27 - - [06/May/2006:08:36:23 -0700] "GET /anotify.php?fuckyou=013413797 HTTP/1.1" 302 -
12.215.148.223 - - [06/May/2006:08:36:23 -0700] "GET /anotify.php?fuckyou=785178851 HTTP/1.1" 302 -
24.138.247.175 - - [06/May/2006:08:36:24 -0700] "GET /index.php?sid=039904874 HTTP/1.1" 403 289
85.224.93.231 - - [06/May/2006:08:36:24 -0700] "GET /anotify.php?fuckyou=829406379 HTTP/1.1" 403 291
70.48.171.7 - - [06/May/2006:08:36:24 -0700] "GET /index.php?7718535=7718535 HTTP/1.1" 403 289
72.57.193.84 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?6666653=6666653 HTTP/1.1" 403 291
80.177.154.49 - - [06/May/2006:08:36:24 -0700] "GET /paymentfailed.php HTTP/1.1" 200 16411
85.226.163.207 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?2963707=2963707 HTTP/1.1" 403 291
81.69.162.107 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?9595853=9595853 HTTP/1.1" 403 291
62.131.109.173 - - [06/May/2006:08:36:24 -0700] "GET /Contact.php?9018296=9018296 HTTP/1.1" 403 291

Ive used htaccess to block them, but its still using Cpu and memory, how ever having set the worker threads to 1250, approx every 10 min they recycle and clear the used memory and cpu.

My question is how do I stop this ?

They are not affecting my website.

Sorry dont know a great deal about apache.

Thanks in advance for any help.

Regards

Potman

James Blond

A Firewall with blocking the IP would help. Best would be a configure able hardware firewall. A firewall don't use so much CPU time and memory

Secondary I would look for the provider of those guests

http://www.ripe.net/whois-advanced

and let the provider take responsebility. But I think you won't get the specials guests, because the IP changes to often.

How does you .htaccess file look like? Maybe we can improve it.

potman100 · Joined: 06 May 2006 Posts: 5

Hi

Thanks for the reply, because the ips change makes it dificult with the firewall idea ?

htaccess is :

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} cdcovers\.cc [NC,OR]
RewriteCond %{HTTP_REFERER} chitika\.net [NC,OR]
RewriteCond %{HTTP_REFERER} isohunt\.com [NC]
RewriteRule .* - [F]

<Limit GET>
deny from 204.246.129.196
deny from 83.225.213.244
deny from 66.17.15.176
deny from 87.52.103.119
deny from 85.66.121.51
deny from 84.222.2.6
allow from all
</Limit>

Like I say found these bit on the net.

Found this post also

http://www.apachelounge.com/viewtopic.php?t=274

Was going to add this to the httpd.conf ?

Regards

James Blond

You have to download the mod_security from this page. Put it into the modules folder and than just copy the line and put it at the end of your httpd.conf (don't forget to restart Apache)

potman100 · Joined: 06 May 2006 Posts: 5

have done that but seems to be using more cpu ?

Any Ideas

Steffen

Every webmaster has to live with this, lots of bogus requests, I too.

Steffen

potman100 · Joined: 06 May 2006 Posts: 5

Might not be able to stop it, but can complain about it !

just knockin up an access log scanner, it scans and then does an auto whois and extracts the abuse email address and auto emails the host.

Let me know if this will help you and Ill post it some where.

Regards

Steffen

Indeed a good idea.

For your info:

In the upcoming 2.0.0 release is support for RBL check IP address blocking.

I played already with it:

SecFilterSignatureAction "log,deny,msg:'Blocking'"
SecFilterSelective IP_IS_BLOCKED "^1$" log,deny,status:403
SecFilterSelective REMOTE_ADDR "@rblCheck sbl-xbl.spamhaus.org"

Steffen