Bandwidth usage increase and Access log

10 posts / 0 new

Topic locked

#1 Wed, 10/02/2013 - 04:53

willrendell

Bandwidth usage increase and Access log

Hello

I have a domain that normally uses just over 1gb of bandwidth a month. The last few days this has jumped up to over 46gb. I have checked the access log for the particular domain and its constantly getting written to with the following from random IP's

195.24.209.21 - - [30/Sep/2013:16:32:20 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 92.98.101.112 - - [30/Sep/2013:16:32:20 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 79.39.116.86 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 217.118.93.99 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 186.3.29.242 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.0" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 64.31.125.58 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 41.230.5.49 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 121.54.29.52 - - [30/Sep/2013:16:32:21 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 186.91.198.194 - - [30/Sep/2013:16:32:22 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 92.98.101.112 - - [30/Sep/2013:16:32:22 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 195.50.152.138 - - [30/Sep/2013:16:32:22 +0100] "POST / HTTP/1.0" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 24.154.138.78 - - [30/Sep/2013:16:32:23 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 115.147.72.38 - - [30/Sep/2013:16:32:24 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 2.135.187.102 - - [30/Sep/2013:16:32:24 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 195.114.253.21 - - [30/Sep/2013:16:32:24 +0100] "POST / HTTP/1.1" 200 14254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Can anyone shed any light on what the problem might be?

Thanks

Will

#2 Wed, 10/02/2013 - 06:52

Locutus

What exactly are you hosting on that domain? Anything that has a login form on the "/" URL? The log entries you posted look like a distributed attack to me, either to crack passwords, or to overload the server.

You might want to use tcpdump to capture port 80 packets and see what's in those POST requests. You can also use mod_qos to limit the number of requests allowed per time interval to specific URLs. You can't prevent distributed attacks though.

#3 Thu, 10/10/2013 - 07:32

willrendell

Thanks for the reply

There are no login forms on that domain, its only hosting flat html files?

#4 Thu, 10/10/2013 - 08:11

Locutus

Okay, I listed further suggestions in my previous post, you might want to try those.

#5 Thu, 10/10/2013 - 11:35

willrendell

I have just tried "tcpdump port 80" and have got the following, can really see anything to do with post?

15:07:07.181036 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: P 1:498(497) ack 1 win 65535
15:07:07.181071 IP vm1.mydomain.com.http > dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953: . ack 498 win 15544
15:07:07.181473 IP vm1.mydomain.com.http > dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953: . 1:14521(14520) ack 498 win 15544
15:07:07.181573 IP vm1.mydomain.com.http > dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953: FP 14521:14522(1) ack 498 win 15544
15:07:07.354586 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 2905 win 65535
15:07:07.358599 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 5809 win 65535
15:07:07.363797 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 8713 win 65535
15:07:07.368448 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 11617 win 64083
15:07:07.372395 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 14523 win 61178
15:07:07.378314 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: . ack 14523 win 64938
15:07:07.380039 IP dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953 > vm1.mydomain.com.http: F 498:498(0) ack 14523 win 64938
15:07:07.380056 IP vm1.mydomain.com.http > dsl-187-145-93-74-dyn.prod-infinitum.com.mx.51953: . ack 499 win 15544
15:07:08.166951 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: S 3462524049:3462524049(0) win 65535 <mss 1460,nop,nop,sackOK>
15:07:08.167033 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: S 790276977:790276977(0) ack 3462524050 win 14600 <mss 1460,nop,nop,sackOK>
15:07:08.397147 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 1 win 65535
15:07:08.399613 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: P 1:474(473) ack 1 win 65535
15:07:08.399647 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: . ack 474 win 15544
15:07:08.400055 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: . 1:13141(13140) ack 474 win 15544
15:07:08.400109 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: P 13141:14522(1381) ack 474 win 15544
15:07:08.400168 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: F 14522:14522(0) ack 474 win 15544
15:07:08.642741 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 2921 win 65535
15:07:08.648944 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 4381 win 65535
15:07:08.661120 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 7301 win 65535
15:07:08.667019 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 8761 win 65535
15:07:08.679407 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 11681 win 65535
15:07:08.685404 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 13141 win 65535
15:07:08.690630 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 13141 win 65535 <nop,nop,sack 1 {14522:14523}>
15:07:08.691050 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: . ack 14523 win 64154
15:07:08.691313 IP 187-92-243-242.customer.tdatabrasil.net.br.34633 > vm1.mydomain.com.http: F 474:474(0) ack 14523 win 64154
15:07:08.691342 IP vm1.mydomain.com.http > 187-92-243-242.customer.tdatabrasil.net.br.34633: . ack 475 win 15544
15:07:10.071723 IP 181.67.110.31.17645 > vm1.mydomain.com.http: S 3860340308:3860340308(0) win 65535 <mss 1400,nop,nop,sackOK>
15:07:10.071792 IP vm1.mydomain.com.http > 181.67.110.31.17645: S 3341004785:3341004785(0) ack 3860340309 win 14600 <mss 1460,nop,nop,sackOK>
15:07:10.080875 IP 117.242.253.40.34216 > vm1.mydomain.com.http: S 2554085428:2554085428(0) win 65535 <mss 1420,nop,nop,sackOK>
15:07:10.080941 IP vm1.mydomain.com.http > 117.242.253.40.34216: S 4133925706:4133925706(0) ack 2554085429 win 14600 <mss 1460,nop,nop,sackOK>
15:07:10.330895 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 1 win 65535
15:07:10.344369 IP 181.67.110.31.17645 > vm1.mydomain.com.http: P 1:505(504) ack 1 win 65535
15:07:10.344395 IP vm1.mydomain.com.http > 181.67.110.31.17645: . ack 505 win 15544
15:07:10.344804 IP vm1.mydomain.com.http > 181.67.110.31.17645: . 1:14001(14000) ack 505 win 15544
15:07:10.344904 IP vm1.mydomain.com.http > 181.67.110.31.17645: FP 14001:14522(521) ack 505 win 15544
15:07:10.399341 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 1 win 65535
15:07:10.408485 IP 117.242.253.40.34216 > vm1.mydomain.com.http: P 1:425(424) ack 1 win 65535
15:07:10.408514 IP vm1.mydomain.com.http > 117.242.253.40.34216: . ack 425 win 15544
15:07:10.408944 IP vm1.mydomain.com.http > 117.242.253.40.34216: . 1:14201(14200) ack 425 win 15544
15:07:10.409044 IP vm1.mydomain.com.http > 117.242.253.40.34216: FP 14201:14522(321) ack 425 win 15544
15:07:10.610261 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 2801 win 65535
15:07:10.612266 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 5601 win 65535
15:07:10.615069 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 8401 win 65535
15:07:10.618434 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 11201 win 65535
15:07:10.622891 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 14001 win 65535
15:07:10.623592 IP 181.67.110.31.17645 > vm1.mydomain.com.http: . ack 14523 win 65014
15:07:10.741749 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 2841 win 65535
15:07:10.748723 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 4261 win 64115
15:07:10.762937 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 7101 win 65535
15:07:10.769378 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 8521 win 64115
15:07:10.782479 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 11361 win 65535
15:07:10.790345 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 12781 win 64115
15:07:10.797998 IP 117.242.253.40.34216 > vm1.mydomain.com.http: . ack 14523 win 65535
15:07:10.800093 IP 117.242.253.40.34216 > vm1.mydomain.com.http: F 425:425(0) ack 14523 win 65535
15:07:10.800114 IP vm1.mydomain.com.http > 117.242.253.40.34216: . ack 426 win 15544
15:07:11.023759 IP 181.67.110.31.17645 > vm1.mydomain.com.http: F 505:505(0) ack 14523 win 65014
15:07:11.023809 IP vm1.mydomain.com.http > 181.67.110.31.17645: . ack 506 win 15544

Thanks for your help

#6 Thu, 10/10/2013 - 11:25

Locutus

Please enclose shell listings in [code][/code] tags, otherwise monospace font and linebreaks are lost, making the dump very hard to read.

#7 Thu, 10/10/2013 - 11:33

willrendell

I have done a little research and am now using "tcpdump -s 1024 -l -A port 80

I have also deleted all the files from public_html folder for the problemdomain.com and now have this output;-

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL / was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at problemdomain.com Port 80</address>
</body></html>

17:14:53.744251 IP vm1.mydomain.com.http > 2.135.128.71.megaline.telecom.kz.8318: F 463:463(0) ack 347 win 15544
.MI.e...G.P ~(...3.."P.<.....
17:14:54.056972 IP c-98-247-136-146.hsd1.wa.comcast.net.64304 > vm1.mydomain.com.http: S 605456596:605456596(0) win 65535 <mss 1460,nop,nop,sackOK>
E..0.`@.h.<0b...MI.e.0.P$.......p....|..........
17:14:54.057055 IP vm1.mydomain.com.http > c-98-247-136-146.hsd1.wa.comcast.net.64304: S 563628447:563628447(0) ack 605456597 win 14600 <mss 1460,nop,nop,sackOK>
E..0..@.@...MI.eb....P.0!.I.$...p.9.@Z..........
17:14:54.230058 IP c-98-247-136-146.hsd1.wa.comcast.net.64304 > vm1.mydomain.com.http: . ack 1 win 65535
E..(.l@.h.<,b...MI.e.0.P$...!.I.P...[...
17:14:54.230094 IP c-98-247-136-146.hsd1.wa.comcast.net.64304 > vm1.mydomain.com.http: R 1:1(0) ack 1 win 0
E..(.m@.h.<+b...MI.e.0.P$...!.I.P...[...
17:14:54.301657 IP 2.135.128.71.megaline.telecom.kz.8318 > vm1.mydomain.com.http: . ack 464 win 65073
E..(a.@.w......GMI.e ~.P3.."(...P..1'}..
17:14:54.302495 IP 2.135.128.71.megaline.telecom.kz.8318 > vm1.mydomain.com.http: F 347:347(0) ack 464 win 65073
E..(a.@.w......GMI.e ~.P3.."(...P..1'|..
17:14:54.302555 IP vm1.mydomain.com.http > 2.135.128.71.megaline.telecom.kz.8318: . ack 348 win 15544
.MI.e...G.P ~(...3..#P.<.....
17:14:55.161370 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: S 3025377671:3025377671(0) win 65535 <mss 1380,nop,nop,sackOK>
E..0bB@.m.)\..c.MI.e-..P.S......p....s.....d....
17:14:55.161452 IP vm1.mydomain.com.http > customer-LMM-99-215.megared.net.mx.11687: S 3478054991:3478054991(0) ack 3025377672 win 14600 <mss 1460,nop,nop,sackOK>
E..0..@.@...MI.e..c..P-..N.O.S..p.9..L..........
17:14:55.337127 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: . ack 1 win 65535
E..(bI@.m.)]..c.MI.e-..P.S...N.PP....7..
17:14:55.341683 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: P 1:468(467) ack 1 win 65535
E...bJ@.m.'...c.MI.e-..P.S...N.PP....X..POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 204
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: problemdomain.com
Connection: Keep-Alive
Cache-Control: no-cache

..zJ..8^.r^q.........
..i.Y.]...Q
>.8..............3.O.F...Z._.m.O......~.....'.o...Ia....}.5."   .-b.......,Cg.SZ...i....mb*.m...w.b.k...".....e.1`#.w.).k...R..A9yMU-..h!.1|..q.......;..zH......._......4].
17:14:55.341742 IP vm1.mydomain.com.http > customer-LMM-99-215.megared.net.mx.11687: . ack 468 win 15544
E..()W@.@..OMI.e..c..P-..N.P.S.[P.<..D..
17:14:55.342302 IP vm1.mydomain.com.http > customer-LMM-99-215.megared.net.mx.11687: P 1:463(462) ack 468 win 15544
E...)X@.@...MI.e..c..P-..N.P.S.[P.<.....HTTP/1.1 404 Not Found
Date: Thu, 10 Oct 2013 16:14:55 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 283
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL / was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at problemdomain.com Port 80</address>
</body></html>

17:14:55.342343 IP vm1.mydomain.com.http > customer-LMM-99-215.megared.net.mx.11687: F 463:463(0) ack 468 win 15544
E..()Y@.@..MMI.e..c..P-..N...S.[P.<..D..
17:14:55.515313 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: . ack 1 win 65535 <nop,nop,sack 1 {463:464}>
E..4bS@.m.)G..c.MI.e-..P.S.[.N.P....Oq.....
.N...N..
17:14:55.521304 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: . ack 464 win 65073
E..(bT@.m.)R..c.MI.e-..P.S.[.N..P..1.c..
17:14:55.528482 IP customer-LMM-99-215.megared.net.mx.11687 > vm1.mydomain.com.http: F 468:468(0) ack 464 win 65073
E..(bU@.m.)Q..c.MI.e-..P.S.[.N..P..1.b..
17:14:55.528534 IP vm1.mydomain.com.http > customer-LMM-99-215.megared.net.mx.11687: . ack 469 win 15544
E..()Z@.@..LMI.e..c..P-..N...S.\P.<..D..
17:14:56.079657 IP dsl-189-155-183-31-dyn.prod-infinitum.com.mx.11679 > vm1.mydomain.com.http: S 202143162:202143162(0) win 65535 <mss 1412,nop,nop,sackOK>
E..0..@.p..~....MI.e-..P..u.....p...
1..........
17:14:56.079747 IP vm1.mydomain.com.http > dsl-189-155-183-31-dyn.prod-infinitum.com.mx.11679: S 1516099740:1516099740(0) ack 202143163 win 14600 <mss 1460,nop,nop,sackOK>
E..0..@.@.q_MI.e.....P-.Z]....u.p.9.............
17:14:56.307549 IP dsl-189-155-183-31-dyn.prod-infinitum.com.mx.11679 > vm1.mydomain.com.http: . ack 1 win 65535
E..(..@.p..v....MI.e-..P..u.Z]..P.......
17:14:56.551936 IP dsl-189-155-183-31-dyn.prod-infinitum.com.mx.11679 > vm1.mydomain.com.http: R 1:1(0) ack 1 win 0
E..(..@.p..k....MI.e-..P..u.Z]..P.......
17:15:01.161082 IP c-76-117-145-28.hsd1.nj.comcast.net.61222 > vm1.mydomain.com.http: S 351273560:351273560(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
E .4..@.m...Lu..MI.e.&.P...X...... .................
17:15:01.161174 IP vm1.mydomain.com.http > c-76-117-145-28.hsd1.nj.comcast.net.61222: S 3271610966:3271610966(0) ack 351273561 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
E..4..@.@...MI.eLu...P.&...V...Y..9.2f..............
17:15:01.276181 IP c-76-117-145-28.hsd1.nj.comcast.net.61222 > vm1.mydomain.com.http: . ack 1 win 16425
E .(..@.m...Lu..MI.e.&.P...Y...WP.@).S..
17:15:01.276216 IP c-76-117-145-28.hsd1.nj.comcast.net.61222 > vm1.mydomain.com.http: P 1:386(385) ack 1 win 16425
E ....@.m...Lu..MI.e.&.P...Y...WP.@)....POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 122
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: problemdomain.com
Connection: Keep-Alive
Cache-Control: no-cache

s.d.v...k:.......w......7.....D.x....'=.....4en........*.D.7...E ..S..OlQ.........#......$".0.<.........w...SB..Tw..<...j.
17:15:01.276248 IP vm1.mydomain.com.http > c-76-117-145-28.hsd1.nj.comcast.net.61222: . ack 386 win 123
E..(..@.@...MI.eLu...P.&...W....P..{2Z..
17:15:01.276903 IP vm1.mydomain.com.http > c-76-117-145-28.hsd1.nj.comcast.net.61222: P 1:463(462) ack 386 win 123
E.....@.@...MI.eLu...P.&...W....P..{4(..HTTP/1.1 404 Not Found
Date: Thu, 10 Oct 2013 16:15:01 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 283
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL / was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at problemdomain.com Port 80</address>
</body></html>

17:15:01.276951 IP vm1.mydomain.com.http > c-76-117-145-28.hsd1.nj.comcast.net.61222: F 463:463(0) ack 386 win 123
E..(..@.@...MI.eLu...P.&...%....P..{2Z..
17:15:01.388646 IP c-76-117-145-28.hsd1.nj.comcast.net.61222 > vm1.mydomain.com.http: . ack 464 win 16309
E .(..@.m...Lu..MI.e.&.P.......&P.?..w..
17:15:01.400793 IP c-76-117-145-28.hsd1.nj.comcast.net.61222 > vm1.mydomain.com.http: F 386:386(0) ack 464 win 16309
E .(..@.m...Lu..MI.e.&.P.......&P.?..v..
17:15:01.408217 IP vm1.mydomain.com.http > c-76-117-145-28.hsd1.nj.comcast.net.61222: . ack 387 win 123
E..(..@.@...MI.eLu...P.&...&....P..{2Z..
17:15:04.634757 IP 190.238.127.196.21549 > vm1.mydomain.com.http: S 8503250:8503250(0) win 65535 <mss 1400,nop,nop,sackOK>
E .0.H@.k.k.....MI.eT-.P........p....).....x....
17:15:04.634828 IP vm1.mydomain.com.http > 190.238.127.196.21549: S 1006613656:1006613656(0) ack 8503251 win 14600 <mss 1460,nop,nop,sackOK>
E..0..@.@..gMI.e.....PT-;.......p.9.............
17:15:04.835762 IP 190.238.127.196.21549 > vm1.mydomain.com.http: . ack 1 win 65535
E .(.L@.k.l.....MI.eT-.P....;...P....   ..
17:15:04.856037 IP 190.238.127.196.21549 > vm1.mydomain.com.http: P 1:505(504) ack 1 win 65535
E . .M@.k.j
....MI.eT-.P....;...P.......POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 241
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: problemdomain.com
Connection: Keep-Alive
Cache-Control: no-cache

.....#....`S.../o..A...'..lp.{=..b...,.7x..     {"..Q~......x.:..Z.<./;.h..xw..&..........5.I5..:.[:.....h....p$....M.E1..U9.6}nX
...\."Rd%wsy&.o.+2~...Wi).v.l.m./.MQJ..b.=....D.~TT.~...S.+.2.......~...$..._%r2.l.09a...~\.....Dg'..v.........G.a.
17:15:04.856114 IP vm1.mydomain.com.http > 190.238.127.196.21549: . ack 505 win 15544
E..(p&@.@.7IMI.e.....PT-;.......P.<..{..
17:15:04.856664 IP vm1.mydomain.com.http > 190.238.127.196.21549: P 1:463(462) ack 505 win 15544
E...p'@.@.5zMI.e.....PT-;.......P.<..I..HTTP/1.1 404 Not Found
Date: Thu, 10 Oct 2013 16:15:04 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 283
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL / was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at problemdomain.com Port 80</address>
</body></html>

17:15:04.856714 IP vm1.mydomain.com.http > 190.238.127.196.21549: F 463:463(0) ack 505 win 15544
E..(p(@.@.7GMI.e.....PT-;..g....P.<..{..
17:15:05.052304 IP 190.238.127.196.21549 > vm1.mydomain.com.http: F 505:505(0) ack 463 win 65073
E .(.U@.k.k.....MI.eT-.P....;..gP..1....
17:15:05.052362 IP vm1.mydomain.com.http > 190.238.127.196.21549: . ack 506 win 15544
E..(p)@.@.7FMI.e.....PT-;..h....P.<..{..
17:15:05.062841 IP 190.238.127.196.21549 > vm1.mydomain.com.http: . ack 464 win 65073
E .(.X@.k.k.....MI.eT-.P....;..hP..1....
^C17:15:06.275577 IP dynamic-199-187.catv.glattnet.ch.7378 > vm1.mydomain.com.http: S 230529496:230529496(0) win 65535 <mss 1460,nop,nop,sackOK>
.......p...Q...........P

1106 packets captured
1475 packets received by filter
360 packets dropped by kernel
[root@vm1 ~]#

Does it make any sense to you?

sitelock.com have scanned the problemdomain.com and cant find any malware in the sourcecode and are sure its a Ddos attack

#8 Thu, 10/10/2013 - 12:53

Locutus

It looks much too slow for a DDoS, it's only one request every 3 seconds. It also doesn't look like slowloris or similar HTTP attacks.

They repeatedly post some binary stuff to the / URL on that domain. I can only guess that they guess that some vulnerable web software was running on that URL, and they're trying to brute-force crack it.

There's not much you can do about this, but it also shouldn't really do harm. I suppose it'll stop again when the attackers received enough 404 errors. Is the additional traffic a problem?

#9 Thu, 10/10/2013 - 13:00

Locutus

After googling a bit, it is possible that this is a kind of slow DoS attack specifically on Apache, using these POST requests.

You might want to google for "Apache POST attack" and see if any of the results help you. If the attack has no noticeable impact on your system's performance except for the traffic, you don't really need to take measures.

#10 Fri, 10/11/2013 - 10:58

willrendell

Thanks for your help, the server is performing normally apart from the increase in traffic, so I think I will keep my eye on it and see if it stops or gets worse.

Will

Topic locked