Hi Joshua,
Ok we got another crash and our shared web servers (running under UML) was unaccessible, however this time mod_forensic logging to a file.
Below is the logs when httpd bring the vm to its knees then i have to restart it, i have replace the Host with 'xxx' just to protect our company hosting.
Please let me know what would be action strategy now.
+10d8:476979f0:39a|POST /forum/posting.php HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=dd4189290cb614c55071a463743df2cd|Content-Type:application/x-www-form-urlencoded|Host:
www.xxx.com|Content-Length:59423|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214567%2522%253B%257D
; phpbb2mysql_sid=dd4189290cb614c55071a463743df2cd
+133e:476c9678:3|GET /forum/viewtopic.php?p=51500&sid=578b164651a42205e13907ad29ee6c1f HTTP/1.1|Host:www.xxx.com|Connection:Keep-alive|Accept:*/*|From:googlebot(at)googlebot.com|User-Agent:Mozilla/5.0 (compatible; Googlebot/2.1; +http%3a//www.google.com/bot.html)|Accept-Encoding:gzip
+1341:476c9629:1|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:
www.xxx.com+13c0:476c96a0:0|GET /app/cs.php?c=gb&pno=0 HTTP/1.1|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:www.xxx.com|Cache-Control:max-stale=0|Connection:close|X-BlueCoat-Via:3EFBBB6A4CC354A7
+1bd5:47697260:1b0|POST /forum/posting.php HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0
; Windows NT 5.1; SV1; .NET CLR 1.1.4322; XMPP Tiscali Communicator v.10.0.2; .NET CLR 2.0.50727)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=58b841154dc1bc186be53e6712dcf5d6|Content-Type:application/x-www-form-urlencoded|Host:
www.xxx.com|Content-Length:56738|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214564%2522%253B%257D
; phpbb2mysql_sid=58b841154dc1bc186be53e6712dcf5d6
+30e0:476c95af:3f1|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:
www.xxx.com+3751:476c9585:3a2|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:
www.xxx.com+37b5:476c9681:3b9|GET / HTTP/1.1|Accept:*/*|Referer:http%3a//click.betafoxsearch.com/click/?dT0xNS4yMy45MzQ2ODgyLjI0NC4xJTdDNzY4NCU3QzE2OTk5JTdDMDAxMDg5Mjk0NjU4MjclN0MyNjAwOTAwMyU3QyU3QyU3QzU4JTdDJm51bWJlcj00JTNBNCZhZHRpdGxlPUNyZWF0ZSUyMGElMjBmcmVlJTIwbmV3c2xldHRlciUyMGZvciUyMHlvdXIlMjBjb25kbyUyMG9yJTIwY28tb3AmYWR1cmw9aHR0cCUzQSUyRiUyRnd3dy5teWNvbmRvbmV3c2xldHRlci5jb20mYWRib2R5PU15Q29uZG9OZXdzbGV0dGVyLmNvbSUyMGlzJTIwYSUyMGZyZWUlMjBzZXJ2aWNlJTIwZm9yJTIwY29uZG8lMjBhbmQlMjBjby1vcCUyMHJlc2lkZW50cyUyMHRvJTIwaW50ZXJhY3QlMjBvbmxpbmUuJTIwV2UlMjBwcm92aWRlJTIwYSUyMGZyZWUlMjBuZXdzbGV0dGVyJTIwYW55JTIwcmVzaWRlbnQlMjBjYW4lMjBhY2Nlc3MlMjB3aXRob3V0JTIwY2hhcmdlLiY=|Accept-Language:en-us|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322)|Connection:Keep-Alive|Host:
www.mycondonewsletter.com+3adb:476c95a3:385|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:
www.xxx.com+4e1c:47680f0e:18c|GET /app/cs.php?c=mpage&id=1125&catid=2&mid=113 HTTP/1.1|Host:www.xxx.com|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0
; Windows NT 5.1; SV1)|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5|Connection:close
+512b:47695866:464|POST /forum/posting.php HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; .NET CLR 1.1.4322; FDM)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=dd19e39ca20bd404017e222fe1e06f04|Content-Type:application/x-www-form-urlencoded|Host:www.xxx.com|Content-Length:58997|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214553%2522%253B%257D
; phpbb2mysql_sid=dd19e39ca20bd404017e222fe1e06f04
+7e4e:476c95e5:c1|GET /app/cs.php?c=gb&pno=0 HTTP/1.1|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:www.xxx.com|Cache-Control:max-stale=0|Connection:Keep-Alive|X-BlueCoat-Via:3EFBBB6A4CC354A7
+7f31:476c9682:b5|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)|Host:
www.xxx.comThanks.
Askar
