Apache receiving hundreds of requests for various domains

Posted on

Apache receiving hundreds of requests for various domains – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, apache-2.2, , , .

I have an Apache2 instance that started receiving hundreds of requests/s for some reason, for all sorts of domains that are not hosted here. There is nothing public running on it.

Here’s an excerpt of the access.log: https://gist.github.com/d9edfc546ca77d17b1df

Facts of interest:

  • bind9 was installed on it for a few days, but is not running anymore
  • recently switched to a static IP
  • there is a public subdomain (i.e. xxx.domain.com) pointing to the machine
  • ports 22, 80, and a few others forwarded from the router

iftop shows many active connections to

unn-46-234-119-111.cloudee.eu:64526 
dynamicip-94-181-151-242.pppoe.penza.ertelecom.ru:64219
c-71-228-220-228.hsd1.tn.comcast.net:51688 
89-179-33-252.broadband.corbina.ru:62767
static-98-114-145-42.phlapa.fios.verizon.net:32476

and other variations of these, all to ports that are blocked on the router.

nethog shows PID 0 for those…

0     root     ..1:80-46.234.119.111:64063             0.000       0.000 KB/sec

Solution :

From your logs it looks like someone is using your apache server as a proxy and what’s troubling is that it looks like you are returning 200 ok to those proxy requests:

46.234.119.111 - - [14/Dec/2011:20:26:53 -0200] "POST http://199.7.177.226/login.php HTTP/1.1" 200 11547

Return value is “200” and you served “11547” bytes. You should check your apache config to make sure you aren’t configured as an open proxy.

Leave a Reply

Your email address will not be published.