Have you added any scripts recently? It is a common problem both with home-made and with off-the-shelf scripts that "objects" to be included in a page are called incorrectly using a URL instead of by using a local filesystem path. In this case, the serve makes a request to itself using HTTP, and that request appears in your log file.

Of course, if you did not add any scripts, then possibly a hacker did.

It is unlikely that someone is spoofing your server's IP address, as this is a non-trivial thing to do, and if done, it is impossible for the attacker to ever receive any responses from your server (because the responses will be sent to your server in response to any request from your server) unless that attacker is injecting the requests inside your hosting company's data center and intercepting the responses there, inside your server's LAN.

Personally, I'd take the site off-line until you have the problem identified. You must balance the temporary risk of revenue loss while fixing the problem against the permanent loss of customers whose computers are infected by your machine if it is currently hosting malware -- and that could be what is causing these bogus requests as well.

The easiest way to take this site off-line would be to point the DNS to another one of your servers, and host a page there that briefly and simply explains why your site is not accessible. If the attacks do not follow to a server with none of your recent scripts in place, then that may tell you something as well... If they do, look at the IP address making those requests -- is it the old or new server?

If that isn't fast enough for you, consider disabling access using code like:

Order deny,allow
Deny from all

or

RewriteRule !^path-to-your-custom-403-error-page\.html$ - [F]

or on Apache 2.x only

RewriteRule !^path-to-your-custom-503-error-page\.html$ - [R=503]

You can of course also deny access by IP address, but these denials will all appear in your server logs -- only firewalling the server or pulling its ethernet cable will actually stop the requests.

The error-page exclusions in the above rules are intended to avoid creating a further self-inflicted DOS attack. Without the exclusions, each real error would trigger another error, then another, etc.

Also, you need a better host if they can't be bothered to help you in any way. In reality, cheap hosting is the most expensive hosting you can buy.

Jim

Thanks for the info. I did recently add a WordPress blog to my site with an SEO plugin which I haven't used before. I'll try disabling those and see what happens. I guess the reason was leaning to it being a denial of service attack is because my provider has experienced several attacks across it's servers in the past few days. They're normally right on top of support requests (15 minutes or less) so I'm thinking they're distracted by the bigger issues right now. I'll drop the WP plugins and watch logs. Maybe it's coming from one of those.

I finally found a text viewer to work with large files. I've narrowed it down to the time I installed the SEO Plugin and also added breadcrumbs to my site. I don't think my breadcrumb script would cause a series of get requests but I'm disabling it, if the issue is still there I'm going to wipe out my WordPress install, review all my php files for modifications, then re-install from scratch. Thanks for putting me on the right track jdMorgan! I'll post what I find out.

Well, I feel like a complete idiot. It turns out the problem was completely caused by my breadcrumb PHP script. The SEO Plugin is innocent and I feel like I just put humanity back one step in evolution by my ignorance.

The difference between a "highly-experienced expert" and a beginner in any field of endeavor is that the highly-experienced expert has made many, many more mistakes than the beginner, and has learned from those mistakes... :)

Glad you found the problem!

Jim