Re: [users@httpd] Possible DOS Attack

Kent Frazier Fri, 20 May 2016 20:54:42 -0700

The abuse email address for  191.96.249.52 is ab...@dmzhost.co
(though most ISPs don't seem to care whether one of their systems has
been hacked or not)


On 5/20/16 4:00 PM, Roman Gelfand wrote:
> In the last 2 days we have received roughly 1milion of the following
> requests.  Just to confirm, is this a DOS attack?
>
> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:24 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:26 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:26 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:28 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:28 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:31 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:31 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
>
> Also, what does this mean?
>
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
>
> Thanks in advance
>

Re: [users@httpd] Possible DOS Attack

Reply via email to