Skip to main content

AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/404.shtml

Grant Forrest

I've been tracking DoS/BOT attacks on my Apache server for a few weeks.

A typical attack involves hundreds of requests that result in:

AH00124: Request exceeded the limit of 5 internal redirects due to probable configuration error

appearing in the apache error_log. Rather than the usual whack-a-mole approach (i.e. blocking IPs and ranges) I turned my LogLevel to debug to see what the requests were.

The debug log shows:

[Sat Apr 18 10:59:29.606673 2026] [core:error] [pid 169552:tid 169552] [client 20.200.222.0:0] AH00124: Request exceeded the limit of 5 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Sat Apr 18 10:59:29.606681 2026] [core:debug] [pid 169552:tid 169552] core.c(3941): [client 20.200.222.0:0] AH00121: r->uri = /___proxy_subdomain_cpanel/404.shtml
[Sat Apr 18 10:59:29.606684 2026] [core:debug] [pid 169552:tid 169552] core.c(3948): [client 20.200.222.0:0] AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/404.shtml
[Sat Apr 18 10:59:29.606688 2026] [core:debug] [pid 169552:tid 169552] core.c(3948): [client 20.200.222.0:0] AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/404.shtml
[Sat Apr 18 10:59:29.606691 2026] [core:debug] [pid 169552:tid 169552] core.c(3948): [client 20.200.222.0:0] AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/404.shtml
[Sat Apr 18 10:59:29.606694 2026] [core:debug] [pid 169552:tid 169552] core.c(3948): [client 20.200.222.0:0] AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/404.shtml
[Sat Apr 18 10:59:29.606697 2026] [core:debug] [pid 169552:tid 169552] core.c(3948): [client 20.200.222.0:0] AH00122: redirected from r->uri = /___proxy_subdomain_cpanel/Ov-Simple1.php
[Sat Apr 18 10:59:29.606848 2026] [ssl:debug] [pid 169552:tid 169552] ssl_engine_io.c(1154): [client 162.158.138.51:11898] AH02001: Connection closed to child 1 with standard shutdown (server domain.com:443)
[Sat Apr 18 10:59:29.660096 2026] [ssl:debug] [pid 169657:tid 169657] ssl_engine_kernel.c(2085): [client 172.71.198.93:13303] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Is this an exploit?

At the moment I'm manually blocking attacks but they are persistent.

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post