So I took a look at the server status and saw that Server load is high. I checked Mysql-Apache usage and one site was using about 70% of CPU! It was marked red of course.
So I checked raw access log for that user and got this:
CODE
78.47.208.242 - - [12/Aug/2009:14:37:40 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:37:45 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:37:53 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:14 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:21 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:27 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:39 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:40 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:58 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:03 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:08 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:23 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:29 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:41 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
93.174.93.58 - - [12/Aug/2009:14:39:16 +0200] "POST /index.php HTTP/1.1" 200 141369
78.47.208.242 - - [12/Aug/2009:14:37:45 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:37:53 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:14 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:21 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:27 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:39 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:40 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:38:58 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:03 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:08 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:23 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:29 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
78.47.208.242 - - [12/Aug/2009:14:39:41 +0200] "POST /are.na.php HTTP/1.1" 200 6 "-" "Mozilla/3.0 (compatible; TALWinHttpClient)"
93.174.93.58 - - [12/Aug/2009:14:39:16 +0200] "POST /index.php HTTP/1.1" 200 141369
I assume that this is some script doing but how do I locate it and stop it?
