Update:
I have now discovered that one of the websites on the same server is being attacked as well. From what I can gather they are posting variables to the default webpage in the hope of tripping across an undeclared variable - does that seem about right? (see logfile snippet below). The website has register_globals off and all variables are declared so I *think* it is safe from this type of attack? Unless anyone knows otherwise? The server is fully up to date so I am hoping that it OK from this and the above attack but it is still a worry when an attack is so sustained!
I have had to turn off fail2ban as it was using more resources blocking the IPs than the attack itself - this became apparent when the number of blocked IPs got above 22,000 and the server started having memory issues! And both attacks had barely slowed! - thanks to unSpawn for the suggestions. I am going through those now. I can see how to use ipset but struggling with the PREROUTING side of the rule? Do I need to amend the action sections in action.d/iptables-ipset-proto4.conf or am I way off track? (I have tried to Google it but the only mentions I can find of fail2ban + PREROUTING is your post from elsewhere on this forum)
The server is only a couple of months old and doesn't host anything worth hacking so I assume they are just trying to add it to the collective? Either that or I pissed off some serious hacker somewhere!
What are peoples experience with attacks like this? Do they eventually move on or do they just keep on going until they find an exploit? It has now been going for well over 48 hours and showing no signs of slowing :-(
Also, I am not very up on hacking but it seems to me that this is not a botnet as the attack comes in a steady stream and not in waves and floods as I assume it would if coming from lots of different machines? So is it possible this is just one (or just a few machines) that are spoofing their IP?
Sorry for all the questions - just trying to get a better handle on the situation.
Apache logfile snippet:
Code:
5.250.8.229 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.184.114 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.186.101.240 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
197.207.28.35 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.113.74.117 - - [16/Sep/2013:18:21:59 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
114.79.18.146 - - [16/Sep/2013:18:21:58 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.162.240.22 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
178.217.30.206 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
101.63.154.142 - - [16/Sep/2013:18:21:57 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
186.5.57.196 - - [16/Sep/2013:18:22:00 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
46.172.187.242 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.184.114 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
213.108.202.218 - - [16/Sep/2013:18:22:02 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.107.188.67 - - [16/Sep/2013:18:22:01 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.242.37 - - [16/Sep/2013:18:21:59 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
115.78.132.139 - - [16/Sep/2013:18:22:03 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.131.57.118 - - [16/Sep/2013:18:22:03 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.141.216.12 - - [16/Sep/2013:18:22:04 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
187.131.141.46 - - [16/Sep/2013:18:22:05 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
159.224.246.56 - - [16/Sep/2013:18:22:06 +0100] "POST / HTTP/1.1" 200 15015 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"