How to stop an attack to a website.

Mario

Verified User
Joined
Dec 18, 2025
Messages
7
Anyone knows how can I stop an attack like this ?

[root@ ~]# tail -f /var/log/httpd/domains/**********************.log | grep facebook
2a03:2880:f800:45:: - - [25/Feb/2026:15:09:29 +0200] "GET /shop/trigonella/genethlialogy28217101683.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:10:: - - [25/Feb/2026:15:09:30 +0200] "GET /shop/flighty/pustulate24476227937.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:45:: - - [25/Feb/2026:15:09:30 +0200] "GET /shop/biurea/bloodstreams5075172122.html HTTP/2.0" 404 12936 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:3f:: - - [25/Feb/2026:15:09:31 +0200] "GET /shop/unenchafed/factitiousness29049135226.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:34:: - - [25/Feb/2026:15:09:31 +0200] "GET /shop/knockings/tasteableness8555880424.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:12:: - - [25/Feb/2026:15:09:32 +0200] "GET /shop/presidiums/impledged9876778204.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:2d:: - - [25/Feb/2026:15:09:32 +0200] "GET /shop/apolysis/paleometeorology86007229342.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:25:: - - [25/Feb/2026:15:09:33 +0200] "GET /shop/bellical/bobbish50751240734.html HTTP/2.0" 404 12936 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:b:: - - [25/Feb/2026:15:09:33 +0200] "GET /shop/comprehensibility/laicises29049145224.html HTTP/2.0" 404 12913 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:13:: - - [25/Feb/2026:15:09:34 +0200] "GET /shop/squidder/rotiferous28217207987.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:11:: - - [25/Feb/2026:15:09:34 +0200] "GET /shop/adustiosis/bokard8555842651.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:2d:: - - [25/Feb/2026:15:09:35 +0200] "GET /shop/nonsynesthetic/sturionian9876760557.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:34:: - - [25/Feb/2026:15:09:36 +0200] "GET /shop/plum/hexabiblos85558184623.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:1a:: - - [25/Feb/2026:15:09:36 +0200] "GET /shop/afterdeck/courtesies85558128809.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:3b:: - - [25/Feb/2026:15:09:36 +0200] "GET /shop/subterrany/disarrangement2821760133.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:1f:: - - [25/Feb/2026:15:09:37 +0200] "GET /shop/refectorary/vasodilatation50751275318.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:33:: - - [25/Feb/2026:15:09:38 +0200] "GET /shop/pontocerebellar/thylacitis50751136437.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:23:: - - [25/Feb/2026:15:09:38 +0200] "GET /shop/browbeater/geisa85558119107.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:43:: - - [25/Feb/2026:15:09:39 +0200] "GET /shop/premaxillary/dorsodynia98767204766.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:31:: - - [25/Feb/2026:15:09:39 +0200] "GET /shop/sandies/chloasma99838180197.html HTTP/2.0" 404 12936 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:15:: - - [25/Feb/2026:15:09:39 +0200] "GET /shop/hermitically/grat5075155842.html HTTP/2.0" 404 12913 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
2a03:2880:f800:39:: - - [25/Feb/2026:15:09:40 +0200] "GET /shop/suddle/unweighableness85558196975.html HTTP/2.0" 404 13101 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"


[root@ ~]# tail -f /var/log/httpd/domains/************.log | grep -v facebook
146.174.185.46 - - [25/Feb/2026:15:10:58 +0200] "GET /shop/bignoniad/smooching28217261270.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.212.0 Safari/532.0"
113.175.4.242 - - [25/Feb/2026:15:10:59 +0200] "GET /shop/seleniums/oophorostomy99838193187.html HTTP/2.0" 404 12936 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.18 (KHTML, like Gecko) Chrome/11.0.660.0 Safari/534.18"
146.174.182.46 - - [25/Feb/2026:15:10:59 +0200] "GET /shop/jealously/obscuration5394767757.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.7 Safari/533.2"
202.76.190.233 - - [25/Feb/2026:15:10:59 +0200] "GET /shop/seeled/cephalocaudal50751264697.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.19 (KHTML, like Gecko) Chrome/11.0.661.0 Safari/534.19"
202.76.171.96 - - [25/Feb/2026:15:10:59 +0200] "GET /shop/selenicereus/lehrsman69022225945.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30"
146.174.161.52 - - [25/Feb/2026:15:11:00 +0200] "GET /shop/billfishes/freebees24476238666.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2"
36.255.34.44 - - [25/Feb/2026:15:11:01 +0200] "GET /shop/jellily/hypnotisable99838281571.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 6.0) yi; AppleWebKit/345667.12221 (KHTML, like Gecko) Chrome/23.0.1271.26 Safari/453667.1221"
43.246.200.56 - - [25/Feb/2026:15:11:01 +0200] "GET /shop/sekos/liparian5075182919.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.366.2 Safari/533.4"
202.72.236.223 - - [25/Feb/2026:15:11:02 +0200] "GET /shop/selffulness/extractors24476259649.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.223.1 Safari/532.2"
49.144.143.246 - - [25/Feb/2026:15:11:02 +0200] "GET /shop/bimmeler/lymphoblastosis53947169701.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.790.0 Safari/535.1"
202.76.141.171 - - [25/Feb/2026:15:11:04 +0200] "GET /shop/semiactive/creeker8555839589.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Safari/535.1"
202.76.143.200 - - [25/Feb/2026:15:11:05 +0200] "GET /shop/biffies/stunpoll86007104318.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/11.0.696.50"
146.174.164.97 - - [25/Feb/2026:15:11:05 +0200] "GET /shop/jessica/sassenach69022240708.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; Linux amd64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1"
102.143.27.249 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/jerque/ascophorous28217129655.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 GTB7.1"
146.174.182.127 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/jetes/anathematised98767239994.html HTTP/2.0" 404 12936 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"
14.245.248.128 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/jerkier/benjamite5394777284.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.8) Gecko/20100725 Gentoo Firefox/3.6.8"
202.76.170.54 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/semiblasphemousness/valliculae69022131117.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2"
136.158.56.234 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/semibody/chromule53947116388.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"
146.174.160.138 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/binmen/tisiphone85558130111.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0"
146.174.174.179 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/bioblast/raffaelesque99838273842.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
14.174.100.193 - - [25/Feb/2026:15:11:06 +0200] "GET /shop/jezreelite/bohemian8600778775.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.864.0 Safari/535.2"
146.174.181.52 - - [25/Feb/2026:15:11:07 +0200] "GET /shop/jejunum/lihyanite86007164963.html HTTP/2.0" 404 13101 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100723 Fedora/3.6.7-1.fc13 Firefox/3.6.7"
^C

Blocking the ips in csf does nothing, like they are spoofed or something.
 
Anyone knows how can I stop an attack like this ?

It looks to me as if the site under the question was hacked sometime before and hackers injected pages into the site. Now the site is clean and injected pages are no longer available, but they still try them.

But as all modern engines process virtual addresses over 404 error with a help mod_rewrite, requests to none-existing pages cause PHP+SQL to overload CPU.

If the legal part of the site does not have any address starting with "/shop/" you might simply block all requests to such the address using .htaccess or other available means.
 
Back
Top