I have a server (vps) to use as a repository and testing (gitlab and redmine) server. However apache crashed, seeing the /var/log/apache2/error.log
have many errors of this type:
[Fri Jan 31 16:07:31.056851 2014] [:error] [pid 1538] [client 63.141.239.204:4740] script '/var/www/ads.php' not found or unable to stat, referer: http://www.wealthsuperman.com/index.php/component/k2/item/1017-3-industry-impacting-innovations-on-the-horizon
[Fri Jan 31 16:07:31.377531 2014] [:error] [pid 1549] [client 216.244.79.163:2282] script '/var/www/ads.php' not found or unable to stat, referer: http://www.movieseeing.com/index.php?option=com_content&view=article&id=2244:bin-aflek-kevin-names-directory&catid=45:superman-movie&Itemid=418
[Fri Jan 31 16:07:31.538993 2014] [:error] [pid 1436] [client 23.88.201.68:4073] script '/var/www/banner_728x90.php' not found or unable to stat, referer: ://www.worldfinancialtoday.com/index.php?option=com_content&view=article&id=481:2011-07-01-23-20-39&catid=41:debt-management&Itemid=224
[Fri Jan 31 16:07:32.267787 2014] [:error] [pid 1573] [client 216.244.87.196:4726] script '/var/www/banner_160x600.php' not found or unable to stat, referer: http://www.sexwomanbaby.com/index.php?option=com_content&view=category&layout=blog&id=37&Itemid=71&limitstart=351
[Fri Jan 31 16:07:32.576526 2014] [:error] [pid 1383] [client 198.50.177.34:3046] script '/var/www/ads.php' not found or unable to stat, referer: http://www.healthlifeways.com/healthy-eating-2/2000-i-want-to-eat-healthy-i-want-to-lose-weight-and-eat-healthy-vegetarian.html
[Fri Jan 31 16:07:34.948099 2014] [:error] [pid 1525] [client 208.115.124.196:4361] script '/var/www/banner_300x250.php' not found or unable to stat, referer: http://www.gamebabygirls.com/index.php?option=com_content&view=article&id=1991:how-to-download-games-onto-your-psp-for-free-free-games-to-download&catid=58:free-game-downloads&Itemid=182
[Fri Jan 31 16:07:35.492746 2014] [:error] [pid 1429] [client 192.187.124.67:3583] script '/var/www/ads.php' not found or unable to stat, referer: http://www.entainmentworld.com/index.php/chicago-entertainment-2/262-ipelinecom-seattle-entertainment
[Fri Jan 31 16:07:35.938016 2014] [:error] [pid 1524] [client 172.246.42.245:1589] script '/var/www/banner_160x600.php' not found or unable to stat, referer: ://www.galacticearthalliance.com/index.php?option=com_content&view=category&layout=blog&id=43&Itemid=226
/var/log/apache2/other_vhosts_access.log
127.0.0.1:80 64.120.60.118 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=4931465&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://happyhourstravel.com/index.php/international-travel/4088-china-eastern-airline" "Opera/10.60 (Windows NT 5.1; U; en-US) Presto/2.6.30 Version/10.60"
127.0.0.1:80 74.63.197.142 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=3698931&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.mortcard.com/index.php?option=com_content&view=article&id=14:Amount-of-Pay-Earned-for-a-Kindergarten-Teacher--&catid=13" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
127.0.0.1:80 142.54.183.92 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5245782&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.healthlifeways.com/healthy-eating-2/18-healthy-life/3339-what-is-a-healthy-balanced-diet-what-is-healthy-life.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.36 (KHTML, like Gecko) Chrome/13.0.766.0 Safari/534.36"
127.0.0.1:80 216.244.79.171 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5280785&pub_url=themoviebus.com HTTP/1.0" 404 494 "http://www.themoviebus.com/index.php/37-news/slideshow/67-donec-nec-feugiat-felis" "Mozilla/4.08 [en] (WinNT; U)"
127.0.0.1:80 198.2.200.40 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2023417&position=above HTTP/1.0" 404 494 "http://www.gameuloved.com/?cat=3" "Opera/9.80 (Windows NT 5.1; U; it) Presto/2.7.62 Version/11.00"
127.0.0.1:80 107.148.8.58 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2142019 HTTP/1.0" 404 494 "http://www.new-energy-auto.com/?p=548" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 63.141.239.206 - - [01/Feb/2014:00:49:40 +0000] "GET http://ad.yieldmanager.com/st?ad_type=pop&ad_size=0x0§ion=5073837&banned_pop_types=28&pop_times=1&pop_frequency=86400&pub_url=${PUB_URL} HTTP/1.0" 404 500 "http://www.healthlifeways.com/healthy-eating-2/4591-eat-drink-be-healthy-eat-healthy-magazine.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
127.0.0.1:80 23.228.234.115 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=1165515 HTTP/1.0" 404 494 "http://www.liekkas.com/?tag=pc" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
127.0.0.1:80 199.231.212.25 - - [01/Feb/2014:00:49:41 +0000] "GET http://ib.adnxs.com/ttj?id=2169359&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 404 494 "://www.twotags.com/o~c-Clothing~a-ap_gender_age_women-24330635_v_neck~b-31515.aspx" "Mozilla/4.75 [en] (Win98; U)"
127.0.0.1:80 137.175.9.44 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.deliads.com/ttj?id=2069500&referrer=financialgately.com HTTP/1.0" 404 497 "http://www.financialgately.com/?p=748" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=723" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; ru-ru) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
127.0.0.1:80 198.2.208.247 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2048452&position=above HTTP/1.0" 404 494 "http://www.everyloans.net/?p=562" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100726 CentOS/3.6-3.el5.centos Firefox/3.6.7"
127.0.0.1:80 63.141.244.45 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=5233043&pub_url=probuinessp.com HTTP/1.0" 404 494 "http://probuinessp.com/index.php/small-business-marketing-ideas/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100903 Firefox/4.0b6pre"
127.0.0.1:80 174.34.159.13 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168373&position=above HTTP/1.0" 404 494 "http://www.searchthenewsofmovie.com/?p=742" "Mozilla/5.0 ArchLinux (X11; U; Linux x86_64; en-US) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100"
127.0.0.1:80 192.169.85.115 - - [01/Feb/2014:00:49:43 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5151124&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.salebusinessidea.com/index.php?option=com_content&view=article&id=234:What-Is-a-SAP-Inventory-System?--&catid=119&Itemid=83" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 95; Alexa Toolbar)"
127.0.0.1:80 23.239.119.194 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2106211&referrer=%5BREFERRER_URL%5D HTTP/1.1" 404 438 "http://ask.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
127.0.0.1:80 198.56.202.212 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=633" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=209" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 198.98.104.241 - - [01/Feb/2014:00:49:44 +0000] "GET http://tags.h12-media.com/tags.js?site=216e49346226002857e6bcd64223e7fc&type=728x90 HTTP/1.0" 404 504 "://www.lookforwardhappiness.com/index.php?view=article&catid=35%3Ahealth-insurance&id=5102%3A2013-12-28-11-28-29&format=pdf&option=com_content&Itemid=54" "Mozilla/4.0 (compatible; MSIE 6.01; Windows 98; Alexa Toolbar)"
127.0.0.1:80 173.234.41.37 - - [01/Feb/2014:00:49:44 +0000] "GET http://ad.smxchange.com/st?ad_type=iframe&ad_size=160x600§ion=4848284&pub_url=${PUB_URL} HTTP/1.0" 404 497 "http://hotbizs.com/index.php?option=com_content&view=section&id=19&layout=blog&Itemid=412&limitstart=261" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
127.0.0.1:80 198.200.42.8 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2150922 HTTP/1.0" 404 494 "http://www.autosoldbest.com/?p=33" "Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00"
127.0.0.1:80 192.169.85.227 - - [01/Feb/2014:00:49:44 +0000] "GET http://ads.yahoo.com/st?ad_type=pop&ad_size=0x0§ion=3914696&banned_pop_types=28&pop_times=1&pop_frequency=0&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.eiaok.com/financial-affairs/reasons-why-you-want-to-start-a-business-financial-security.html" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.39 Version/11.00"
127.0.0.1:80 198.2.199.147 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2059583&position=above HTTP/1.0" 404 494 "http://www.bodybecare.com/future-lady-fashion-institute-kerala-zardosi-painting-courses-cochin-kerala/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; YPC 3.2.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
127.0.0.1:80 172.246.42.139 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2198716 HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=612" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
I suspect it's some kind of attack (DDoS).
Have reinstalled apache and php but the problem keeps. until now bloqueiei many ips that appear in the log, but does not solve.
Someone save what I can do to solve the problem?
I'm using:
Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013
Server version: Apache/2.4.6 (Ubuntu)
Server built: Dec 5 2013 18:32:22
My proccess:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1384 www-data 20 0 181m 1652 1084 S 0.3 0.3 0:01.28 apache2
1405 www-data 20 0 181m 1652 1084 S 0.3 0.3 0:01.24 apache2
1544 www-data 20 0 181m 1688 1080 S 0.3 0.3 0:01.34 apache2
1575 www-data 20 0 181m 1696 1088 S 0.3 0.3 0:01.30 apache2
1783 root 20 0 17796 1556 1004 R 0.3 0.3 0:00.08 top
1 root 20 0 26920 1500 588 S 0.0 0.3 0:01.45 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:02.56 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 0:00.88 kworker/u2:0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcuob/0
10 root 20 0 0 0 0 S 0.0 0.0 0:07.99 rcu_sched
11 root 20 0 0 0 0 R 0.0 0.0 0:17.54 rcuos/0
12 root rt 0 0 0 0 S 0.0 0.0 0:00.04 watchdog/0
13 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/u3:0
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
21 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
23 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
24 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 devfreq_wq
25 root 20 0 0 0 0 S 0.0 0.0 0:01.06 kworker/0:1
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
27 root 20 0 0 0 0 S 0.0 0.0 0:01.10 kswapd0
28 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
29 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
31 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
43 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
44 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u2:1
45 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
46 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
66 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 deferwq
67 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 charger_manager
119 root 20 0 0 0 0 S 0.0 0.0 0:00.28 jbd2/vda-8
120 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-rsv-conver
121 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-unrsv-conv
299 root 20 0 17452 136 136 S 0.0 0.0 0:00.12 upstart-udev-br
308 root 20 0 42624 508 508 S 0.0 0.1 0:00.03 systemd-udevd
310 messageb 20 0 30508 496 304 S 0.0 0.1 0:00.16 dbus-daemon
I noticed something. deleted the logs and they only reappeared when I restarted apache.
PS: I am newbie in terminal.
Best Answer
Its probably not a DDOS - I suspect that this old question of mine on SF was the same thing, and you're just overhearing the screaming toddlers of the internet.
The best idea is to keep calm and carry on, unless you have excessive loads or traffic coming out of your system. Keep things patched up, and keep an eye on things, but this is really nothing to worry about.
If you must do something about this, setting up fail2ban to block these IP address may be an option, but I can't help there cause I didn't bother to.