How To Stop Further Attack And Further Compramisation Of Server
Jan 10, 2007
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
View 9 Replies
ADVERTISEMENT
Jul 7, 2009
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
View 9 Replies
View Related
May 9, 2007
Before when they attack my site I can't stop them. Now at I can but I have to monator the server all the time and execute this program :
Code:
#!/bin/bash
#Collecting list of ip addresses connected to port 80
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 > /root/iplist
#Limit the no of connections
LIMIT=5;
for ip in `cat /root/iplist |awk '{print $2}'`;do
if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ]
then
echo "5 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";
#Blocking the ip ...
/etc/rc.d/init.d/iptables save > /dev/null;
CHECK_IF_LOCALIP=0;
/sbin/ifconfig | grep $ip > /dev/null;
if [ $? -ne $CHECK_IF_LOCALIP ]
then
{
FLAG=0;
grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null;
if [ $? -ne $FLAG ]
then
iptables -I INPUT -s $ip -j DROP;
else
echo " Ipaddress $ip is already blocked ";
fi
}
else
echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server ";
fi
fi
done
It's block any connectin that has more than 5 connections.
My problem now that when I left my pc and when I come back my server can't response.
I used this to let it work every minute :
Code:
SHELL=/bin/sh
0-59/1 * * * * root /root/ddos/blockip5.sh >
and put it here /etc/cron.d/anti-ddos.cron
Is there any advice about it ? to let work all the time not every minute. like every 5 second.
I found that when I left my pc and come back to run this script I can't login to the server I have to reboot it then log again.
This message come from support :
In the past 12 Hours we have seen a maximum of #35 mbps and an average of 12 mbps of malicious traffic being sent to your server
I am using APF and also I use DDoS-Deflate version 0.6 and evasive mod.
Any more advice ? they keep attacking me for more than 1 Month 24 hours
View 3 Replies
View Related
Mar 24, 2009
Server - Windows 2003, IIS, Windows Mail
I am undergoing heavy SMTP attack, if i accept all connections in RELAY setting of SMTP
If i grant access only to Server IP, then attack stops, but all emails send, start bouncing back to me, as relay failed.
View 6 Replies
View Related
Feb 6, 2008
Recently, some of our Linux/cPanel servers got hacked (not rooted) by using the following code (method)
#!/usr/bin/perl
symlink ("/home/USER/config.php","/home/USER2/test.txt");
The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !
We tried to :
1- run php as CGI module.
2- run SUPHP module.
3- run php as apache module.
4- enable open_basedir and safe_mode.
But the hacker still can bypass the system!
the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!
as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.
So is there any way to stop the "symlink" perl function?
any way to stop this attack method?
View 14 Replies
View Related
Jul 14, 2008
How i can stop Spammer from my server?
my control panel is CPANEL !
what software i must install?
View 4 Replies
View Related
Jan 10, 2007
as many of you know, FreeBSD is a stable system... I have many other FreeBSD servers (with the same kernel as this one) that doesn't have problems but this server keeps rebooting once or twice a day (EVERY DAY)
it's just a reboot... something very very similar to someone pushing the reset button
1) messages, security, auth or dmesg has no entries just before the reset, so the kernel is not getting aware the server is rebooting
2) the server comes back after around 10 minutes (reboot time + fsck)
this is happening for long time, so I compiled a new kernel... and the problem didn't stop
I request the datacenter techs to replace hardwares and they told me everything was replaced: motherboard, CPU, memories... and yesterday also the power suply
so I have no other idea on what to do
in fact I have one... setting a nobreak in this server power suply for 2 or 3 days to see if the problem stops, but the datacenter didn't like this idea
View 10 Replies
View Related
May 5, 2009
I've recently had problems where customers will upload PHP scripts that seem to use alot of CPU. I've got PRM installed but when a PHP script uses a lot of CPU, it doesn't seem to kill the processes or do anything to stop it crashing the server. I've checked the logs of PRM and it does kill some processes that use a lot of CPU/RAM though...
The ideal solution would be for PRM or something else to stop people being able to access the script causing excessive CPU/RAM usage. Even suspending for the reason of using excessive CPU/RAM would be sufficient.
For those interested the OS is CentOS 5.3 with cPanel 11, Apache and the latest PHP 5. Average load is always between 0.50 - 1.90.
View 4 Replies
View Related
Mar 30, 2009
in the last 2 weeks has increased the spam mail to external users using our mail accounts.
So a user receives spam believing that it is sent from our sites.
I think the best method is to create a txt file in dns but I have many doubts about how to proceed.
Looking at one of the e-mail back to our mail server I see that emails are sent via outlook.
This is an example of the emails: ...
View 7 Replies
View Related
Nov 18, 2008
My server had been crashing for while with Blue Screen of Death (BSOD) and bug check error code as Stop 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA.
It would literally stop by business till I reboot it again.
So I tried pull up all information I could get and fix this.
Here is what I found-
Possible causes:
A faulty driver recently installed
Faulty RAM
Antivirus
Corrupted NTFS file system
I checked the system logs and found errors related to NTFS. Well, my disk needed a chkdsk /r /f to fix this.
Ran it at the command prompt and since it required a reboot to fix on the system drive (C:), had to reboot. Came back successfully.
It has been 14 days and it has not recurred.
View 2 Replies
View Related
Nov 18, 2008
My server had been crashing for while with Blue Screen of Death (BSOD) and bug check error code as Stop 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA.It would literally stop by business till I reboot it again.So I tried pull up all information I could get and fix this.
Here is what I found-Possible causes:A faulty driver recently installed
Faulty RAM
Antivirus
Corrupted NTFS file system
I checked the system logs and found errors related to NTFS. Well, my disk needed a chkdsk /r /f to fix this.Ran it at the command prompt and since it required a reboot to fix on the system drive (C, had to reboot. Came back successfully.It has been 14 days and it has not recurred.
View 3 Replies
View Related
Dec 6, 2008
i am getting hundreds of theses in my mail log each day, trying different names etc and want to put a stop to them and auto ban the ips.
I have APF
View 2 Replies
View Related
May 21, 2008
If your server is blocking googlebot from finding your robots.txt file, how do you configure your firewall to unblock it?
I've searched through Google and I've seen may people just say your firewall is blocking it, but none mention how to really stop it from doing that. Like does Google have an IP it uses, and if so, what is the IP you should whitelist for your server?
As I keep getting that message: Network unreachable: robots.txt unreachable
and I'm sure it's due to a firewall issue, just have no idea how to fix that.
View 5 Replies
View Related
Jul 2, 2009
My server is currently underattack, I have been able to keep it up but after I ban 500 IPs, I get a lot of different IPs again.
Any idea or suggestion to do mass-ban to those attacking IPs?
tcp 0 0 xxx.xx.xxx.xxx:80 190.87.128.59:3965 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 82.115.52.10:2323 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:21094 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:57605 ...
View 14 Replies
View Related
Jul 4, 2006
Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
View 14 Replies
View Related
Aug 22, 2007
I went today to my apache error log, and noticed that those scum lowlifes hackers trying to hack my server every day for at least 100 times!!!
What a disaster!
Examples of urls they trying to use:
- http://usuarios.arnet.com.ar/larry123/safe.txt?
- http://uploaded.justfree.com/id.txt?
- http://nukedclx.info/php/base
Is there anything that can be done to prevent this mor*** from even trying to hack (except putting a bullet in his/their head)?
View 14 Replies
View Related
Nov 7, 2009
two of my website on the server was changed by the hackers.How did they do it?
View 7 Replies
View Related
Nov 3, 2009
i got botnet attack my web server...is there anything i can do to block thse attack? my host isnt help much?
View 4 Replies
View Related
Oct 22, 2009
how to protect an linux dedicated server from bot attack. Im using linux server with cPanel, using CSF firewall + DOS Deflate.
View 5 Replies
View Related
May 17, 2009
How can check server for dos/ddos/syn attack?
Because my server load is high, perfromance is low, but i dont have any high process.
View 5 Replies
View Related
Feb 2, 2008
is this DDOs attack : .....
View 5 Replies
View Related
Jan 31, 2008
I think I'm experiencing some type of alternative to a DDoS attack. My server is being killed by thousands of emails being sent to fake accounts on my server.
I'm not a server administrator, so please bear with me.
My load average is skyrocking to 800.xx at times. I look at "top" and see "exim" for one specific user on my server. I own all the websites on my server, by the way.
When I look at my email queue, I see thousands of emails coming in to accounts that don't exist for that specific user. Let's say the domain name is salcollaziano.com. Somebody is sending spam to various salcollaziano.com aliases that don't exist. Like webmaster -at- salcollaziano.com and suzy -at- salcollaziano.com.
How can I prevent these spam emails from having any interaction with my server? It's causing me a lot of downtime on all the sites I have running on that particular server.
View 14 Replies
View Related
Nov 27, 2008
Not sure if it's a valid threat, but I would like to do the best I can to identify one as early as possible.
Can someone maybe give me an idea of what to look for? They were not specific on there type of attack, but I was hoping that there was maybe a log file I could tail and keep an eye out for irregularities.
View 10 Replies
View Related
Aug 8, 2007
my server got phisihing attack with bankamerica/paypal etc. i wounder because we have tight firewall/security etc. but any way this is teribel. i have found ip when look in to /var/log/messages -
its looks like (?@85.201.19.xxx). is it used anonymos ftp? i found same ip used to log in to another ftp host as well.
View 5 Replies
View Related
Nov 17, 2007
My server (Xeon 3.0Ghz) went down for no reason yesterday and ever since it was rebooted (and I've rebooted a couple of times since then), pages load extremely slowly or just timeout. Server load is constantly hovering around 1 and top stats indicate that the server's resources are not under heavy load, which is contrary to the usual pattern during peak times.
I've checked netstat and I notice a lot of SYN_RECV. Could this be a DoS attack? If so, what steps do I take to stop it?
View 1 Replies
View Related
Nov 19, 2007
I'm having a very odd problem with one of my Linux (CentOS) cpanel server, all the server's services (http, ssh, mail, dns, etc) stop responding but the server still responds to ping.
I can't find anything wrong at all on the log files either, and the technicians that manually restart the server have told me that there is no indication of a problem on the screen.
I suspected a hardware issue and had the data center techs run a hardware test on the server but everything cleared ok.
This issue started a couple of weeks ago, no major upgrade or install took place when it started happening. From what i can see the halts are completely random, some times it goes for days without it happening and some times it happens just hours after the reboots.
View 14 Replies
View Related
Jun 18, 2008
my server is being ddosed and the network utilisation is at 40% of 1gpbs
i asked to softlayer to check and they said my programs/services is taking that much bandwidth
any1 can help me?
if my server is under dos attack wat can i do?
because the bandwidth used is about 50gb/hr
View 10 Replies
View Related
Feb 16, 2008
I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.
I am on LiteSpeed.
I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.
I am spending $420 a month on my hosting for my dedicated server
Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.
basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.
View 7 Replies
View Related
