Re: [bitfolk] Apache Overwhelmed

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMMMichael Corliss at <-
MMMMartijn Grooten at ->

Reply to this message
Author: Daniel Case
Date:  
To: Michael Corliss
CC: BitFolk Users
Subject: Re: [bitfolk] Apache Overwhelmed
Hi Michael,

You could attempt to block the user agent, as it looks like they're all
using IE6/WinXP, as long as you don't have any legitimate users that still
use IE6 - at least as a temporary resolution. You could put something like
this in your virtual host on Apache:

<Directory />
SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)" bad_user
Deny from env=bad_user
</Directory>




On 25 August 2013 16:34, Michael Corliss <michaeljcorliss@???> wrote:

> Hello,
>
> My site was running very slowly this morning, and when I looked at top it
> showed a lot more apache processes than usual. My apache logs show several
> generic-looking requests per second all day, all from different IPs but the
> same user agent:
>
> 203.177.174.141 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
>> 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 117.7.236.73 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 216.178.85.218 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 49.206.63.20 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 59.149.127.101 - - [25/Aug/2013:06:57:47 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 111.254.38.56 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
>> 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 190.154.108.28 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 60.240.213.10 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200
>> 18876 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 41.74.72.186 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 5.166.34.40 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 213.57.146.253 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
>> 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 188.245.63.129 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 171.97.140.82 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200
>> 13140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 188.136.214.3 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 74.197.170.177 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 106.241.51.51 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
>> 21900 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 178.32.159.163 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200
>> 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 110.55.2.241 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 97.66.102.42 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 2.181.22.211 - - [25/Aug/2013:06:57:51 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 95.58.227.174 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 91.84.209.34 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 25078
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 9101
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 80.187.102.48 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
>> 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 162.40.113.3 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.0" 200 29739
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 74.246.72.161 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 69.31.103.15 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 18824
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 95.56.48.194 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 0 "-"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 91.234.62.104 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
>> 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 117.201.49.234 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
>> 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 110.93.93.232 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 49.144.94.153 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 49.206.63.20 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 75.5.224.39 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 222.253.203.151 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 0
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 116.71.205.203 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
>> 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 76.231.201.4 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>> 113.185.6.125 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
>> 20250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>>
>
>
> This goes on and on. I've stopped apache and everything seems to be
> working normally.
>
> I've found some suggestions that this UA is associated with malicious
> bots; is this a DDOS? Who would want to DDOS a piddly discussion forum?
> Any advice on making it useable again?
>
> Thanks,
> Mike
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-[bitfolk] Apache OverwhelmedRe: [bitfolk] Apache Overwhelmed->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)