Someone is proxying my server 10 times a second.

[altendew]

Check out these logs

Host: 201.50.215.207   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:40  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; WUU; PPC Mac OS X; en-US) AppleWebKit/778.7 (KHTML, like Geco, Safari) OmniWeb/v210.76emDrive=C:\x81  
---------------------------------------------------------
Host: 217.227.145.193   /signUp.php?ref=ec0lag  
  Http Code: 200  Date: May 20 00:55:39  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; LTQ; PPC Mac OS X; en-US) AppleWebKit/583.2 (KHTML, like Geco, Safari) OmniWeb/v716.45ot=D:\\WIND\x81  
---------------------------------------------------------
Host: 88.218.14.182   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:39  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; OON; PPC Mac OS X; en-US) AppleWebKit/185.0 (KHTML, like Geco, Safari) OmniWeb/v024.81temDrive=C\x81  
---------------------------------------------------------
Host: 84.121.126.152   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:38  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; TGA; PPC Mac OS X; en-US) AppleWebKit/522.5 (KHTML, like Geco, Safari) OmniWeb/v164.73rama  
---------------------------------------------------------
Host: 84.102.227.121   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:38  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; YFJ; PPC Mac OS X; en-US) AppleWebKit/127.4 (KHTML, like Geco, Safari) OmniWeb/v066.21stemDrive=\x81  
---------------------------------------------------------
Host: 221.144.148.129   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:37  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; IHR; PPC Mac OS X; en-US) AppleWebKit/370.2 (KHTML, like Geco, Safari) OmniWeb/v721.81es  
---------------------------------------------------------
Host: 83.135.123.247   /signUp.php?ref=ec0lag  
  Http Code: 200  Date: May 20 00:55:37  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; DKB; PPC Mac OS X; en-US) AppleWebKit/121.6 (KHTML, like Geco, Safari) OmniWeb/v767.38Drive=C:  
---------------------------------------------------------
Host: 80.38.234.40   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:37  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; EOW; PPC Mac OS X; en-US) AppleWebKit/800.4 (KHTML, like Geco, Safari) OmniWeb/v834.74Drive=C:  
---------------------------------------------------------
Host: 211.61.185.8   /signUp.php?ref=ec0lag  
  Http Code: 200  Date: May 20 00:55:37  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; YMA; PPC Mac OS X; en-US) AppleWebKit/440.7 (KHTML, like Geco, Safari) OmniWeb/v\xe137.02temDrive=C\x81  
---------------------------------------------------------
Host: 190.49.206.39   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:36  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; UIN; PPC Mac OS X; en-US) AppleWebKit/344.1 (KHTML, like Geco, Safari) OmniWeb/v552.66a  
---------------------------------------------------------
Host: 83.211.92.18   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:36  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; YIJ; PPC Mac OS X; en-US) AppleWebKit/864.1 (KHTML, like Geco, Safari) OmniWeb/v677.56ip  
---------------------------------------------------------
Host: 84.174.193.248   /signUp.php?ref=ec0lag  
  Http Code: 200  Date: May 20 00:55:36  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; CWA; PPC Mac OS X; en-US) AppleWebKit/577.2 (KHTML, like Geco, Safari) OmniWeb/v815.46temDrive=C\x81  
---------------------------------------------------------
Host: 84.162.208.14   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:36  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; JYX; PPC Mac OS X; en-US) AppleWebKit/856.2 (KHTML, like Geco, Safari) OmniWeb/v732.76mDrive=C:  
---------------------------------------------------------
Host: 81.193.0.187   /signUp.php?ref=1945777  
  Http Code: 200  Date: May 20 00:55:36  Http Version: HTTP/1.0  Size in Bytes: 0  
  Referer: -  
  Agent: Mozilla/5.0 (Macintosh; INJ; PPC Mac OS X; en-US) AppleWebKit/750.0 (KHTML, like Geco, Safari) OmniWeb/v651.53

Ok first thing I noticed was that they were all accessing the same page.. either "/signUp.php?ref=1945777" or.. "/signUp.php?ref=ec0lag".

Second thing they had no refered.. which is very uncommon.

Third each agent is just a little different, I will place * around where its different..

Agent: Mozilla/5.0 (Macintosh; *INJ*; PPC Mac OS X; en-US) AppleWebKit/*750.0* (KHTML, like Geco, Safari) OmniWeb/v*651.53*

Fourth, 10 straight mac requests in a row is unlikely, windows usually is 99% of the hits.

So yes someone is using someone kind of software to target my server.. but I really do not know if there is a way to prevent this?

I blocked these urls:
/signUp.php?ref=1945777
/signUp.php?ref=ec0lag

But thats not going to stop him from changing the ref value..

Any help would be appreciated.

 

[altendew]

Also to add on.

I am running Linux, with Cpanel.