Hi all,
Just when you thought you'd seen it all.
On this past Saturday, my server started seeing sporadic spikes in CPU
usage. As it turns out, somehow, some bot or something somewhere is
connecting to me server and relaying messages to another server. The logs
below have been Googled several times with no real answer, other than, the
mod_proxy issue, which is not the case on this server as mod_proxy is not
installed (confirmed in httpd.conf and httpd -M).
When that (attack) hits, I wind up having to stop Apache, Exim, and clearing
the mailq, by which time there are several hundred thousand of bounces (for
'www') which can't be delivered.
That having been said, I did have 'www' set as a trusted user in my Exim
configuration, which allows the Apache user to set the "From:" line in
outgoing emails (Webforms etc). I have since removed that trusted user, but,
that stops my clients from sending email via webforms etc.
That having been said, this is a production webserver, and it handles
several hundred thousand hits a day, and sends/recieves serveral thousand
emails a day, a functionality I cant afford to loose.
I am hoping there is some simple fix somewhere I can find that someone here
might suggest. Any help would be greatly appreciated.
Log lines:
66.139.69.201 - - [29/Jul/2008:04:01:58 -0400] "GET
http://www.microsoft.com/ HTTP/1.0" 200 1401 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"
66.139.69.201 - - [29/Jul/2008:04:01:58 -0400] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0"
200 1401 "-" "-"
66.139.69.201 - - [29/Jul/2008:04:02:00 -0400] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.
0" 400 226 "-" "-"
-Grant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
