Sample Header Ad - 728x90

My server is DOSing itself

0 votes
0 answers
43 views
ubuntu apache-httpd malware
I seem to have some kind of self-inflicted DOS attack going on. I have some [self-written blog software](https://github.com/Pamblam/fuckit) that I have hosted on a Digital Ocean droplet running Ubuntu 20. Everything worked fine for a long time but recently the server is taking a long time to respond, so I checked the Apache access logs and found that it is requesting this one image from itself several times per second: Snippet from the access log: 
134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET /Image HTTP/1.1" 200 3976 "-" "-"
127.0.0.1 - - [04/Oct/2024:15:32:56 +0000] "GET /Image HTTP/1.1" 200 1350 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET /Image HTTP/1.1" 200 3976 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET /Image HTTP/1.1" 200 3975 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET /Image HTTP/1.1" 200 3976 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET /Image HTTP/1.1" 200 3977 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET /Image HTTP/1.1" 200 3728 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET /Image HTTP/1.1" 200 3729 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET /Image HTTP/1.1" 200 3975 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET /Image HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 is my server's public IP, which my domain, robert-parham.com points to. The website runs fine on my own computer, there are no cron jobs under the root account or the non-root account that I set up. Could this be some kind of malware? What steps can I take or tools can I use to find out what program or piece of code is making these requests? -- Edit 1: Here's a snippet of the output from sudo tcpdump -vv -s0 tcp port 80 and src host 134.209.212.156 
17:05:18.015144 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x575a), seq 2203077905, ack 1, win 64240, options [mss 1460], length 0
17:05:31.839148 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.http > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x2b82), seq 2445306852, ack 1, win 64240, options [mss 1460], length 0
17:05:34.400019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x575a), seq 2203077905, ack 1, win 64240, options [mss 1460], length 0
17:05:49.535001 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.http > 185.224.128.82.41528: Flags [S.], cksum 0x95bf (incorrect -> 0x0637), seq 899153806, ack 2088086825, win 64240, options [mss 1460], length 0
17:06:55.622040 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:06:56.639166 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:06:58.687124 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:02.453575 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:04.527413 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:08.543172 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:16.799356 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:33.183150 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
According to www.abuseipdb.com, both vmi1563824.contaboserver.net as well as 185.224.128.82 have high confident ratings for abuse, so I'm pretty confident it's some kind of malware at this point.
Asked by I wrestled a bear once. (189 rep)
Oct 4, 2024, 03:56 PM
Last activity: Oct 4, 2024, 05:13 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "ubuntu"
More questions tagged "apache-httpd"
More questions tagged "malware"
Footer Ad - 728x90