POST requests

[mhwatson]

Hi,

I have an Elxis site that is seeing logs like this every few seconds, and the cpu is running up to 100%.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

201.230.86.204 - - [19/Dec/2007:16:25:21 +0000] "POST /index.php HTTP/1.1" 200 9235 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
76.111.177.92 - - [19/Dec/2007:16:25:22 +0000] "POST /index.php HTTP/1.1" 200 9193 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
194.212.232.6 - - [19/Dec/2007:16:25:33 +0000] "POST /index.php HTTP/1.0" 200 9073 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.28.113.194 - - [19/Dec/2007:16:23:20 +0000] "POST /index.php HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
76.247.190.97 - - [19/Dec/2007:16:23:38 +0000] "POST /index.php HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.21.150.128 - - [19/Dec/2007:16:23:36 +0000] "POST /index.php HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.138.35.176 - - [19/Dec/2007:16:26:03 +0000] "POST /index.php HTTP/1.1" 200 9205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
68.104.155.102 - - [19/Dec/2007:16:25:17 +0000] "POST /index.php HTTP/1.1" 200 1927 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.250.255.188 - - [19/Dec/2007:16:26:57 +0000] "POST /index.php HTTP/1.1" 200 9114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
68.187.251.227 - - [19/Dec/2007:16:27:04 +0000] "POST /index.php HTTP/1.1" 200 9199 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
24.210.134.157 - - [19/Dec/2007:16:27:05 +0000] "POST /index.php HTTP/1.1" 200 1935 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
189.140.240.187 - - [19/Dec/2007:16:27:38 +0000] "POST /index.php HTTP/1.1" 200 9181 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.41.202.200 - - [19/Dec/2007:16:28:38 +0000] "POST /index.php HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
88.245.76.175 - - [19/Dec/2007:16:29:27 +0000] "POST /index.php HTTP/1.1" 200 9998 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
190.48.173.128 - - [19/Dec/2007:16:29:54 +0000] "POST /index.php HTTP/1.1" 200 9229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
201.240.24.205 - - [19/Dec/2007:16:30:14 +0000] "POST /index.php HTTP/1.1" 200 9193 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

>>>>>>>>>>>>>>>>>>>>>>

Elxis shows 100+ visitors on line, whereas the true figure is about 30 per day! Other Elxis sites on my VPS are running normally.

Is there any way of controlling these 'hits'?

Thanks,

Martin.

[datahell]

Check your apache logs to see if there is a kind of continuously attack or a script that queries continuously your site.

Do a test:
Empty elxis sessions table and refresh the site. Check if the number of visitors increase continuously by setting new sessions. Determine why this is happening. First check if session write path is writable. If it is ok, then check the logs.

[mhwatson]

Hi Datahell,

I took the site offline overnight, so that I could look again this morning. Sure enough, when I brought the site online, I was the only visitor. However, within a few seconds I had 9 visitors. Looking in the apache access log showed myself (naturally) and 8 of these POST requests = 9..... And the cpu was then 90+%.

I'm puzzled. Other Elxis sites on the VPS are unaffected, all are clean builds (within a few days of each other). The affected site has no 3rd party addons etc.

I've discussed it with the hosting provider - he is not sure how to proceed as the IP's are all unique. He would like me to keep the site offline (other than for testing) until I can resolve it.

Is it possible to do anything within a .htaccess file to mitigate against these attacks?

Martin.

[datahell]

You must block these attacks. If the IP changes continuously, then block the request. It should be the same or very similar in these POST requests. You can do it with htaccess or via Elxis defender.

[mhwatson]

Hi Datahell,

Is it possible that you could give me an example filter config for Defender? I tried  "POST /index.php HTTP/1.1" - they keep on coming!

Martin.

[datahell]

You must first see the whole POST request. This is only the file they request.

If it is for a non-profit site send me the site data via PM to check it by myself.
I will need FTP access to your site to create a check script in order to determine the origin of the attack.

If it is for a company website contact GO UP Inc (www.goup.gr) for professional support.

[mhwatson]

Hi,

I don't see from the logs which file they are requesting? The error log is full of lines like this:

Maximum execution time of 30 seconds exceeded in /var/www/vhosts/mortfamily.net/httpdocs/includes/Core/utf8.class.php on line 104

Is this connected?

I can't get the site online for more than a couple of minutes before the cpu is 100% and other sites are then unavailable. Everything else runs just fine once this particular domain is taken off line. as soon as online the access log fills with:

"POST /index.php HTTP/1.1" 200 9235 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"  type lines again.

Martin

[mhwatson]

Hi,

I'm still struggling with this one - I've been as far as dropping the whole domain and recreating it with just a bare Elxis site, but still the same thing happens. I'll look into it in a bit more detail over the holiday.

Thanks for the help,

Martin.