Today i found server that hosts http://forums.bizhat.com is down.
I tried to login with SSH, server was responding, but was very slow.
On login in i found server load of 20 to 40 and too many apache process. The one tak take too much CPU is MySQL.
I tried to restart the server, but on rebooting, again the CPU usage goes high.
I stoped MySQL and start watching the Apache log file and found
195.225.176.87 – – [26/Jun/2006:17:29:07 +0100] “POST /profile.php?mode=register&agreed;=true&coppa;=true HTTP/1.1” 200 30382 “http://www.google.ru/search?hl=en&q;=free+porno&btnG;=Google+Search” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0;)”
There are too many such connections.
The problem is fixed by blocking the user with mod_security
SecFilterSelective “HTTP_REFERER” “porno”
