Keith:

These are not due to hackers; although if you are running an older version
of Drupal or a heavily customized code base, it's a good bet you are
targeted.  All phishing, most database encroachments tools and certainly
all rogue security scanners include the option to spoof source addresses.
Asia is a commonly used spoofed local.  Don't rely on locking out one of
these scripts, rather than fix your security issues or upgrade your CMS.

The 403 errors are due to CCK module or configuration for caching ( or can
be caused by a hosting provider using mod_security):
https://www.drupal.org/node/110219


Your httprl_async_function_callback error is a caching configuration issue
in Drupal; not in and of itself a hacking attempt:
https://www.drupal.org/node/2079561


On Tue, Dec 2, 2014 at 1:58 PM, Keith Smith <techlists@phpcoderusa.com>
wrote:

>
>
> Hi,
>
> Last night the LAMP server that serves our Drupal install crashed.  It had
> too may available processes and ran out of memory.  Reduced the number of
> available Apache processes and everything settled down.  Early this morning
> the server crashed again from what looked like a hack attempt. Data center
> directed the offending IP to NULL?? Problem solved.  Server is behaving.
>
> In looking at the log files I find two things that I need help
> understanding.  Please understand I am not a Drupal developer - I am just
> responsible for it....
>
> I'm seeing a bunch of 403 errors for trying to access /node/add - is this
> a new exploit?  What is this?
>
> Also I am seeing lines that contain the following:
>
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2
> HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1
> HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1
> HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1
> HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1
> HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
> xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2
> HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
>
>
> Any idea what this is?
>
> Thank you so much for your help!!
>
>
> --
> Keith Smith
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>