Help with probable hacking/flooding attempts on a big site

sven2012
sven2012 used Ask the Experts™
on
Ok, since a couple of weeks/months I have a serious issue which I cannot resolve on my own, despite the skills I have in this segment:

I have a medium sized filehosting site with clients mostly from europe.
the software is written in perl, hosted on an apache2 webserver with mysql (each on one server)

for a couple of weeks I get serverloads of 200-700 since I have connections from all over the world (zimbabwe, china, thailand, brazil etc.) where I definitly not have customers.
it seems that those connections are increasing the load dramaticly.
weare not talking about a floodding or DDOS but some kind of other attack.
when I ban those IPs (I have a Cisco Firewall) the load goes to normal again, but then new connections from new weird countries are made.
so I blocked a couple of contries with the firewall, but basicly I could block the whole world since new weird connections from new countires are made continuesly.

we are talking about 80-200 connections at time, not more, seen with this:

netstat -anp |grep 'tcp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

the main server is a dual quadcore with SSD harddrives and 24 GB ram, the databse server is the same, linked to each other by cable.
OS is Ubuntu.

I would be gratefull if anyone could give me some hints what to do in order to trace those connections are se where the security whole is, since probably is there is one.
or might it be a bot-attack of someone?!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Michael WorshamCloud/Infrastructure Solutions Architect

Commented:
You need to install is called a Web Application Firewall or WAF for short.

Install & configure ModSecurity:
http://www.modsecurity.org/

ModSecurity: Overview for Apache
http://www.modsecurity.org/projects/modsecurity/apache/

Author

Commented:
ModSecurity is installed and helps only partly.
It seems that those accesses are targeting the software itself (xfilesharingpro script core but modified).
a WAF does not help much in your situation

as long as you cannot describe what exactly causes the load, it's difficult to give suggestions

that said, you first need to check your web server's log files and verify if the requests are legal ones accessing your website or if they look supicious or even malicious
only if you have a lot of malicious requests a WAF makes sence, otherwise to just block IPs you better go with a traditional network firewall (linux's iptables is sufficient)

probably your web application is vulnerable to attacks, hence you better check your application and fix the vilnerabilities if any
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
According to the log my site gets flooded with POST commands, probably some kind of scanning in order to gain users login and pass (mostyl from premium users)

see the log:

80.82.222.61 - - [25/May/2012:15:21:05 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:06 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:08 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:09 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:10 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:11 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:12 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:13 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:14 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:15 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:16 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:17 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:18 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:20 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:20 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:20 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:21 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:23 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:22 +0200] "POST / HTTP/1.0" 500 1334 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:23 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:24 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:25 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:26 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:27 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:28 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:21:28 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:29 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:21:29 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:30 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:30 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:39 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:21:46 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:21:49 +0200] "POST / HTTP/1.0" 200 5453 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:21:58 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:03 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:06 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:10 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:12 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:15 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:16 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:18 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:20 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:21 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:22 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:23 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:24 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:26 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:27 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:28 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:29 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:30 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:30 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:31 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:31 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:32 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:32 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:33 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:34 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:34 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:35 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:35 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:36 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:36 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:37 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:38 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:38 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:38 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:39 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:40 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:40 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:41 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:41 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:41 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
80.82.222.61 - - [25/May/2012:15:22:42 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
80.82.222.61 - - [25/May/2012:15:22:42 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11"
80.82.222.61 - - [25/May/2012:15:22:42 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
80.82.222.61 - - [25/May/2012:15:22:43 +0200] "POST / HTTP/1.0" 200 4998 "http://www.*********.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"


any ideas how to avoid/stop this?
can you please enable logging of POST parameters
then restart apache and post some (approx 10) different requests

Author

Commented:
I enabled dump_io module but it does not seem to work?!
parameters are
DumpIOInput On
DumpIOLogLevel debug

I am on Apache 2.2.1.6
where is the POST data ment to apear?!
> DumpIOLogLevel debug
 I assume you mean
   LogLevel debug

note that all these directives must  be set in the server's config file

Author

Commented:
I actually found the cause:

88.212.1.242 - - [26/May/2012:16:00:04 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:00:23 +0200] "POST /?op=login HTTP/1.1" 200 5104 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
88.212.1.242 - - [26/May/2012:16:01:57 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:02:07 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:02:18 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:02:28 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:02:50 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:03:21 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:03:43 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:03:53 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:04:04 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:04:15 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:04:38 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:04:47 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:04:58 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:05:16 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:05:19 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:05:34 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:05:42 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:06:14 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:06:26 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:06:49 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:07:02 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:07:27 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:07:40 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:07:51 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:08:17 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:08:30 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:08:56 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:09:08 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:09:21 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:09:33 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:09:47 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:10:00 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:10:25 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:10:37 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:11:27 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:11:40 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:11:53 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:12:06 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:12:20 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:12:32 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:12:45 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:13:16 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:13:27 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:13:38 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:14:10 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:14:20 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:14:31 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:14:41 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:15:10 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:15:35 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:15:46 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:15:58 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:16:08 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:16:20 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:16:43 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:16:52 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:17:03 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:17:13 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:17:24 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:17:45 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:17:57 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:18:07 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:18:39 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:18:50 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:19:01 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:19:34 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:20:08 +0200] "POST /login.html HTTP/1.1" 404 1228 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:20:21 +0200] "POST /login.html HTTP/1.1" 200 5564 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:20:32 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:20:43 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:21:07 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:21:30 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:21:41 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:21:52 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:22:04 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:22:28 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:22:40 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:22:51 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:23:04 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:23:15 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:23:27 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:23:39 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:23:53 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:24:03 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:24:14 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:24:27 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:24:40 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:24:50 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:03 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:14 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:25 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:35 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:46 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:25:58 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:26:20 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:26:30 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:26:43 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:26:53 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:27:15 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:27:26 +0200] "POST /login.html HTTP/1.1" 200 5570 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:28:04 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:28:19 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:28:41 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:28:52 +0200] "POST /login.html HTTP/1.1" 200 5570 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:29:14 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:29:15 +0200] "POST / HTTP/1.1" 200 5047 "http://www.**********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
88.212.1.242 - - [26/May/2012:16:29:21 +0200] "POST / HTTP/1.1" 200 5047 "http://www.**********.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
88.212.1.242 - - [26/May/2012:16:29:24 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:29:36 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:29:58 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:30:11 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:30:25 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:30:32 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:31:01 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:31:30 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:31:37 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:31:48 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:31:58 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:32:21 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:32:32 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:32:43 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:33:05 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:33:52 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:34:05 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:34:29 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:34:35 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:34:46 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:35:12 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:35:21 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:35:29 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:35:41 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:36:15 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:36:27 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:36:49 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:37:30 +0200] "POST /login.html HTTP/1.1" 200 5047 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:37:41 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:37:52 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:38:03 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:38:25 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:38:46 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:39:10 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:39:18 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:39:29 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:39:40 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:39:50 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:40:02 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:40:13 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:41:12 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:41:23 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:41:42 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:42:03 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:42:18 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:42:48 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:43:10 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:43:21 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:43:53 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:44:04 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:44:15 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:44:26 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:44:37 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:44:48 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:45:35 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:46:04 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:46:16 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:46:38 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:46:48 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:46:59 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:47:21 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:47:32 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:47:47 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:48:16 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:48:28 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:48:40 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:48:50 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:49:12 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:49:26 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:49:47 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:50:05 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:50:07 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:50:33 +0200] "POST /login.html HTTP/1.1" 200 5602 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:50:47 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:51:03 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:51:25 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:51:39 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:51:47 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:52:20 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:52:31 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:52:41 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:52:53 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:09 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:10 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:21 +0200] "POST /login.html HTTP/1.1" 200 5064 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:35 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:43 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:54:54 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:55:25 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:55:38 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:55:50 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:56:02 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:56:13 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:56:26 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:56:46 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:56:58 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:57:09 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:57:19 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:57:30 +0200] "POST /login.html HTTP/1.1" 200 5605 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:03 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:14 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:26 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:37 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:48 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:58:59 +0200] "POST /login.html HTTP/1.1" 200 5606 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:16:59:26 +0200] "POST / HTTP/1.1" 500 1543 "http://www.**********.com/login.html" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
88.212.1.242 - - [26/May/2012:16:59:44 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:07 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:07 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:18 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:28 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:29 +0200] "POST / HTTP/1.1" 500 1543 "http://www.**********.com/login.html" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
88.212.1.242 - - [26/May/2012:17:00:39 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:00:50 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:01:01 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:01:13 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:01:47 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:01:57 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:02:09 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:02:20 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:02:43 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:02:53 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:03:04 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:03:16 +0200] "POST /login.html HTTP/1.1" 200 5083 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:03:27 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:03:40 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:04:24 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:04:36 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:04:57 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:05:31 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:05:42 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:05:53 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:06:03 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
88.212.1.242 - - [26/May/2012:17:06:06 +0200] "POST / HTTP/1.1" 200 5089 "http://www.**********.com/login.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
88.212.1.242 - - [26/May/2012:17:06:13 +0200] "POST / HTTP/1.1" 200 5089 "http://www.**********.com/login.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
88.212.1.242 - - [26/May/2012:17:06:26 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"

Open in new window


this is not googlebot though, I have excluded it with a meta tag, but this must be some other attack pretending to be googlebot, flooding the site with post-commands on the login-page.
the IPs are different all the time, from all over the world, so with banning IPs I can control it but I do have to be in front of the PC all the time.

any ideas how to ban this?
Top Expert 2010

Commented:
As a stop gap the following should block all requests to your /login.html from a Googlebot, real or not.

Just stick in in your httpd.conf virtual host definition:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Googlebot
RewriteRule ^/login.html  -  [F]

Open in new window


Your log appears to show only one request ever 10 seconds or so, so a traffic shaper isn't likely to be of any use, but you may wish to look at a GEO IP block, if your customers are limited to one or more specific markets, and don't need access while travelling e.g.  http://www.debian.md/cmds/apache_geoip.html
LinuxGuruLinux Server Administrator

Commented:
As mentioned above, if requests are from different ips, better block request to the particular page.
I still miss the data posted, what we see in the posted logfile are just the request lines no posted data
can you please check again and post some line with the posted data
PLEASE POST 3-5 LINES ONLY

Author

Commented:
@arober11: that didn't help, now the requests are like this:

200.7.177.112 - - [27/May/2012:19:05:56 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
189.84.230.161 - - [27/May/2012:19:05:57 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
94.42.176.108 - - [27/May/2012:19:05:56 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
186.88.85.176 - - [27/May/2012:19:05:50 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.198.253.132 - - [27/May/2012:19:05:55 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
186.153.166.188 - - [27/May/2012:19:05:57 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
186.129.253.156 - - [27/May/2012:19:05:58 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
99.47.3.235 - - [27/May/2012:19:05:58 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.199.6.59 - - [27/May/2012:19:05:57 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.248.130.170 - - [27/May/2012:19:05:59 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
177.19.218.139 - - [27/May/2012:19:05:59 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
89.208.117.210 - - [27/May/2012:19:05:59 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
178.19.21.162 - - [27/May/2012:19:06:00 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.90.209.150 - - [27/May/2012:19:06:01 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.242.40.50 - - [27/May/2012:19:06:02 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
201.57.153.114 - - [27/May/2012:19:06:02 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
201.251.62.137 - - [27/May/2012:19:06:03 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
187.125.37.26 - - [27/May/2012:19:06:03 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
187.0.222.167 - - [27/May/2012:19:06:04 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
186.153.252.17 - - [27/May/2012:19:06:04 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
201.18.134.94 - - [27/May/2012:19:06:06 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
190.6.206.106 - - [27/May/2012:19:06:06 +0200] "POST /login.html HTTP/1.1" 403 1615 "-" "Googlebot"
60.51.176.162 - - [27/May/2012:19:06:17 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
200.97.128.62 - - [27/May/2012:19:06:17 +0200] "POST /login.html HTTP/1.1" 500 1543 "-" "Googlebot"
114.66.196.192 - - [27/May/2012:19:06:17 +0200] "POST /login.html HTTP/1.1" 200 5604 "-" "Googlebot"
81.89.60.86 - - [27/May/2012:19:06:19 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
189.58.195.234 - - [27/May/2012:19:06:17 +0200] "POST /login.html HTTP/1.1" 200 5605 "-" "Googlebot"
93.159.192.43 - - [27/May/2012:19:06:19 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
187.55.129.120 - - [27/May/2012:19:06:19 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
186.251.6.202 - - [27/May/2012:19:06:18 +0200] "POST /login.html HTTP/1.1" 200 5604 "-" "Googlebot"
201.39.162.149 - - [27/May/2012:19:06:18 +0200] "POST /login.html HTTP/1.1" 200 5605 "-" "Googlebot"
200.42.56.146 - - [27/May/2012:19:06:20 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
194.67.253.234 - - [27/May/2012:19:06:19 +0200] "POST /login.html HTTP/1.1" 200 5603 "-" "Googlebot"
187.6.86.2 - - [27/May/2012:19:06:22 +0200] "POST /login.html HTTP/1.1" 200 5089 "-" "Googlebot"
71.42.153.24 - - [27/May/2012:19:06:21 +0200] "POST /login.html HTTP/1.1" 200 5604 "-" "Googlebot"

Open in new window

Author

Commented:
@ahoffmann: allthough I have enabled mod_security with the parameter
SecFilterScanPOST On
the post data is not logged!
no idea why is that....?!
mod_security uses it's own logfile, usually, see configuration
POST data will be logged in it's audit log
may be this helps:
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/07-logging.html
Top Expert 2010

Commented:
Hi

Can you please temporarily enable the Rewrite Log e.g.

RewriteLog          /tmp/temp_Rewrite.log
RewriteLogLevel 9

Open in new window


Restart your Apache daemon and leave for a couple of min's then set the Log Level to 0 (turn off) and restart Apache again.

Then search for and cut-n-paste a block of output, for one of the POST requests.
Top Expert 2010

Commented:
Also did you do anything between: 27/May/2012:19:06:06  and 27/May/2012:19:06:17, as Apache was blocking, returning a 403 error to the Bot, then the responses suddenly changed back to a 200's (OK - Apache accepted the post).

Author

Commented:
I wont get this logging working, impossible!

>a2enmod mod-security
>Module mod-security already enabled

and then in apache conf.d folder I put modsecuriry.conf with following contents:

<IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature " "

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    # SecFilterForceByteRange 1 255

    # The name of the audit log file
    SecAuditEngine On
    SecAuditLogStorageDir /var/log/mod_security
    SecAuditLog /var/log/mod_security/audit_log
    SecAuditLogParts ABCDEFGHZ

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    # SecFilterDefaultAction "deny,log,status:500"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Prevent path traversal (..) attacks
    SecFilter "../"

    # Weaker XSS protection but allows common HTML tags
    #SecFilter "<[[:space:]]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    #SecFilter "<(.|n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"
    SecFilter "drop[[:space:]]table"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>

Open in new window


I tried to put this conf lines in apache.conf but still the same, it wont log anything!

as for the 403 and 200 respond, this might have been mod_evasive for ddos protection.
do you have virtual hosts?

Author

Commented:
yes, one, you think there is the error?
did you check in your access and/or error logs that the changes are applied/valid for your virtual host (if that virtual host is the one you want to monitor)?

Author

Commented:
i did include the config into the virtual host and I double checked everything.
this retarted mod_security wont log anything anywhere, this is ridiculous.

is there any other way to store the POST data?
Michael WorshamCloud/Infrastructure Solutions Architect

Commented:
Your audit log should be under /var/log/mod_security/audit_log. Make sure that the entire directory structure even exists and has the right permissions to it as well.

Author

Commented:
I checked it ten times, the directory is there, the module is loaded (appears in php variables) but it is not logging anything.
the above conf must be wrong?!
Michael WorshamCloud/Infrastructure Solutions Architect

Commented:
Did you also bounce Apache instance as well to make sure?

Author

Commented:
of course ;-)
Michael WorshamCloud/Infrastructure Solutions Architect

Commented:
I'm not a Debian / Ubuntu user, but I found this link. Maybe it will help shed some light.

http://www.linuxlog.org/?p=135

Author

Commented:
believe it or not, I got it.
it was
<IfModule mod_security2.c>
instead of
<IfModule mod_security.c>

since it is mod_security2!
 oh well......

let me scan the audit_log for the POST data.....

Author

Commented:
so a relevant log entry from the appache log would be:
195.62.49.82 - - [01/Jun/2012:18:08:48 +0200] "POST / HTTP/1.0" 200 5042 "http://www.xxxx.com" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"

the audit log for this IP is:

--d50aae60-A--
[01/Jun/2012:18:07:10 +0200] T8jorF-TrYsAAEHQJv0AAAA7 195.62.49.82 42127 10.1.0.139 80
--d50aae60-B--
POST / HTTP/1.0
Accept: */*
Referer: http://www.xxxxxx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Host: www.xxxxxxx.com
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Via: 1.1 ace-custqaapp3:80 (squid/2.7.STABLE9)
X-Forwarded-For: 188.165.145.150
Cache-Control: max-age=259200
Connection: keep-alive

--d50aae60-C--
login=afluent&password=afluent&op=login&redirect=
--d50aae60-F--
HTTP/1.1 200 OK
Expires: Thu, 31 May 2012 16:07:09 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

--d50aae60-H--
Apache-Handler: cgi-script
Stopwatch: 1338566828711788 1367712 (386* 388 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache

--d50aae60-Z--

Open in new window


so obvioulsly someone scans the Host for usernames and passwords?!
Michael WorshamCloud/Infrastructure Solutions Architect

Commented:
Common backdoors are to applications like phpMyAdmin and other SQL-like applications as these can be injected since the login/password is sent in clear text.
you can't do anything against such scans except disconnecting your server from public access
some ideas too fool attackers:
 - replace your /index.whatever  with a simple page without a form
   (use another more random path for your login, but don't place a link in /)

 - for all failed logins, redirect to 127.0.0.1

 - use mod_evasive

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial