Keith:  

These are not due to hackers; although if you are running an older version of Drupal or a heavily customized code base, it's a good bet you are targeted.  All phishing, most database encroachments tools and certainly all rogue security scanners include the option to spoof source addresses. Asia is a commonly used spoofed local.  Don't rely on locking out one of these scripts, rather than fix your security issues or upgrade your CMS.

The 403 errors are due to CCK module or configuration for caching ( or can be caused by a hosting provider using mod_security):  https://www.drupal.org/node/110219


Your httprl_async_function_callback error is a caching configuration issue in Drupal; not in and of itself a hacking attempt:
https://www.drupal.org/node/2079561


On Tue, Dec 2, 2014 at 1:58 PM, Keith Smith <techlists@phpcoderusa.com> wrote:


Hi,

Last night the LAMP server that serves our Drupal install crashed.  It had too may available processes and ran out of memory.  Reduced the number of available Apache processes and everything settled down.  Early this morning the server crashed again from what looked like a hack attempt. Data center directed the offending IP to NULL?? Problem solved.  Server is behaving.

In looking at the log files I find two things that I need help understanding.  Please understand I am not a Drupal developer - I am just responsible for it....

I'm seeing a bunch of 403 errors for trying to access /node/add - is this a new exploit?  What is this?

Also I am seeing lines that contain the following:

xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=1 HTTP/1.0" 200 502 "-" "Drupal (+http://drupal.org/)"
xx.xx.xx.xx - - [02/Dec/2014:02:40:32 -0800] "POST /httprl_async_function_callback?count=2 HTTP/1.0" 200 486 "-" "Drupal (+http://drupal.org/)"


Any idea what this is?

Thank you so much for your help!!


--
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss