[bitfolk] Apache Overwhelmed

25 Aug 2013

Hello,

My site was running very slowly this morning, and when I looked at top it
showed a lot more apache processes than usual.  My apache logs show several
generic-looking requests per second all day, all from different IPs but the
same user agent:

203.177.174.141 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
...
  26622 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1)"
 117.7.236.73 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 216.178.85.218 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.206.63.20 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 59.149.127.101 - - [25/Aug/2013:06:57:47 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 111.254.38.56 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 190.154.108.28 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 60.240.213.10 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 18876
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 41.74.72.186 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 5.166.34.40 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 213.57.146.253 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 188.245.63.129 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 171.97.140.82 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 13140
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 188.136.214.3 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 74.197.170.177 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 106.241.51.51 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 21900
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 178.32.159.163 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200
 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 110.55.2.241 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 97.66.102.42 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 2.181.22.211 - - [25/Aug/2013:06:57:51 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 95.58.227.174 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 91.84.209.34 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 25078
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 9101
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 80.187.102.48 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 25746
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 162.40.113.3 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.0" 200 29739
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 74.246.72.161 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 69.31.103.15 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 18824
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 95.56.48.194 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 0
"-"
 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 91.234.62.104 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 26622
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 117.201.49.234 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200
 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 110.93.93.232 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.144.94.153 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 49.206.63.20 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 75.5.224.39 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 222.253.203.151 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 0
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 116.71.205.203 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 76.231.201.4 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 113.185.6.125 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 20250
 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

This goes on and on.  I've stopped apache and everything seems to be
working normally.

I've found some suggestions that this UA is associated with malicious bots;
is this a DDOS?  Who would want to DDOS a piddly discussion forum?  Any
advice on making it useable again?

Thanks,
Mike

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[bitfolk] Apache Overwhelmed