Re: [bitfolk] Apache Overwhelmed

25 Aug 2013

Hi Michael,

You could attempt to block the user agent, as it looks like they're all
using IE6/WinXP, as long as you don't have any legitimate users that still
use IE6 - at least as a temporary resolution. You could put something like
this in your virtual host on Apache:

<Directory />
  SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)" bad_user
  Deny from env=bad_user
</Directory>

On 25 August 2013 16:34, Michael Corliss &lt;michaeljcorliss(a)gmail.com&gt; wrote:

...
  Hello,

 My site was running very slowly this morning, and when I looked at top it
 showed a lot more apache processes than usual.  My apache logs show several
 generic-looking requests per second all day, all from different IPs but the
 same user agent:

 203.177.174.141 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
  26622 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 117.7.236.73 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 216.178.85.218 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.206.63.20 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 59.149.127.101 - - [25/Aug/2013:06:57:47 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 111.254.38.56 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 190.154.108.28 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 60.240.213.10 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200
 18876 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 41.74.72.186 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 5.166.34.40 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 213.57.146.253 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 188.245.63.129 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 171.97.140.82 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200
 13140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 188.136.214.3 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 74.197.170.177 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 106.241.51.51 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 21900 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 178.32.159.163 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200
 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 110.55.2.241 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 97.66.102.42 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 2.181.22.211 - - [25/Aug/2013:06:57:51 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 95.58.227.174 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 91.84.209.34 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 25078
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 9101
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 162.40.113.3 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.0" 200 29739
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 74.246.72.161 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 69.31.103.15 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 18824
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 95.56.48.194 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 0
"-"
 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 91.234.62.104 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 117.201.49.234 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 110.93.93.232 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.144.94.153 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.206.63.20 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 75.5.224.39 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 222.253.203.151 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 0
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 116.71.205.203 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 76.231.201.4 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 113.185.6.125 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 20250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

 This goes on and on.  I've stopped apache and everything seems to be
 working normally.

 I've found some suggestions that this UA is associated with malicious
 bots; is this a DDOS?  Who would want to DDOS a piddly discussion forum?
 Any advice on making it useable again?

 Thanks,
 Mike

 _______________________________________________
 users mailing list
 users(a)lists.bitfolk.com
 https://lists.bitfolk.com/mailman/listinfo/users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [bitfolk] Apache Overwhelmed