Alright guys - my server the past two weeks is just freaking ridiculous. It's a Core2Quad Q9300 2.5ghz server with 8gb of ram. It should be fast as hell. I can't move 20 e-mails in my mail client without the server grinding to a complete halt and httpd and mysql going unresponsive. Right now I'm just trying to copy a damned screen shot of the task manager performance tab and it's taking about 3 minutes to paste it - even though the CPU utilization is averaging only 20% at the moment and memory is only 2.5gb.
I restarted WAMP and now it seems to be running smoother. My Outpost firewall, though, didn't show too many connections to the server that it was maxing out.
Here's my ping responses just now while I was typing this - I was watching the firewall connections and I was only having like 60 connections to httpd, 20 connections to mysql, 5-10 to my SmarterTools mail server, and then my remote desktop connection. My network utilization got up to a whole 5% - so it's not that I have too many connections or something. Here's the ping responses:
C:Documents and SettingsBrian>ping mifbody.com -n 99
Pinging mifbody.com [216.245.195.146] with 32 bytes of data:
Reply from 216.245.195.146: bytes=32 time=70ms TTL=115
Reply from 216.245.195.146: bytes=32 time=73ms TTL=115
Reply from 216.245.195.146: bytes=32 time=81ms TTL=115
Reply from 216.245.195.146: bytes=32 time=78ms TTL=115
Reply from 216.245.195.146: bytes=32 time=71ms TTL=115 ....
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url] <scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c="[url] document.writeln ("<script sr c="[url]
So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.
Server info: Windows 2003 box Dedicated server currently hosted at the planet.
Problem:
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url] <scRipT sr c=[url] Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c=[url] document.writeln ("<script sr c=[url]
So I got a script that opens up every file looking for this code and stripping it out.
Seemed to work at first, but now all the sites have been rewritten again..... and again.
Is my server being attacked? Please help. I'm using Linux RedHat el5. Recently, my server down almost at the same time everyday. I try looking in /var/log/messages, it is flooded by this kind of message:
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=430 from=173.66.124.249 Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=437 from=92.84.45.130 Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=439 from=173.66.124.249 Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=440 from=173.66.124.249 Dec 25 22:41:24 ls1 kernel: ip_conntrack: table full, dropping packet.
From the log, at "from=xx.xx.xxx.xxx" are not all the same, but the same ip appeared for a while, then change to another.
I'm newbie to Linux, and donot quite understand what the this message is mean. Is this can be a cause that make my server down? Please suggest.
my friend's server is being attacked, the http processes shoots up causing the server load to go above 200 in minutes of starting httpd which causes server to die.
this is how the apache web server's access_log would log a normal http request; ------------------------------------------------------ "xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /folder/name.gif HTTP/1.1" 200 877 [url]"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" ------------------------------------------------------
Today when the http load increased we saw hundreds of following requests; ------------------------------------------------------ "xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /? HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" ------------------------------------------------------
You see the difference between a legitimate http access log entry and the above one is that the legitimate one shows the filename(GET /folder/name.gif) and domain name being requested whereas the second one shows ("GET /?")
Above requests continously originate from 30 to 40 different ip addresses. Most of them russian ips, and many form US and canada to.
When i do a grep "GET /?" in access log there are thousands of these which started just today.
I cannot block each ips because i feel they have hundreds of IPs to initiate these requests from.
I am new here. I have a leased web server and I am getting new pages called "postinfo.html" on every domain along with some javascript code (virus) attached at the end of every webpage on every domain. Does anyone know about this or how to get rid of it and prevent it? I have a sneaky suspicion that it is from a phpbb forum.
There's supposed to be a virus on one of my server (called "cdpuvbhfzz"). Anyone has any idea on how to remove it? What software to install, what do do next. Also, is transferring an infected account on a different machine is also transferring a virus?
I wonder which virus scanner software is useful for Unix server(Centos 4.5). One of my client install SMF forum and when visitors access the forum,their virus scanner warn that site is affected by trojan. I used Clamav to scan entire home directory but seem nothing found.
I had an issue with limestonenetworks over the last 24 hours. My 2 servers went down for 12 hours but when it came back up the separate mysql server would not load?? Somehow the hard drive on that server failed during this upgrade and they cannot retrieve the databases on the server. A database containing over 60,000 members. Through my own undoing I didnt have a recent backup. A cpanel backup was backing up the same old file instead of the updated one.
I would have been happy if the site came back and at least the data was still there. Im just upset that this "network upgrade" has fried my database. From this I get the lesson "You get what you pay for". Im just keeping my fingers crossed that they will be kind enough to make a serious attempt to recover the data or at least let me send it to someone who can.
Does anyone have any suggestions on how to get retrieve data from a linux server hard-drive?
Here are the steps that have been taken so far:
Upon console of the server it was at DISK BOOT FAILURE prompt. We first did the basics and disconnected the server and made sure all connections to the hard disk and motherboard were secure. Upon reboot we checked to see if the BIOS detected the drive which it did. The server still reported disk boot failure. We then rebooted back into the BIOS to make sure the BIOS was set not skipping the hard drive in the boot process.
It was not.
The "recovery tools" we ran was just a basic linux live cd to see if we could get the hard drive detected inside of an operating system. It would not even detect the disk in the machine. We did not perform anything on the drive to cause it to fail. I spoke directly to my manager who was supervising the move and I was told that all servers were shut down cleanly as well as moved safely and securely.
The hard disk is still detected by the BIOS but the hard disk certainly has some internal issues as you can hear a constant buzzing and clicking during POST and after.
I've been with this guys for over 4 months, but for my surprise when I got home today from work just noticed that my server is being "unpluged" for hours.
I did get an e-mail about the outage and was aware about the datacenter move. I am with live chat now waiting for some response and will update soon.
I hope my server did get stolen or lost during the move... and hopefully i will be compesate for this huge downtime.
We have a Windows Server 2003 dedicated, and use the Windows POP3 Service for emails, is there anything that can be plugged in to provide serverside spam/virus protection?
All my websites are down because a Dos attack on port 80. Rackspace basically said they can't do anything to help me unless I want them to install a $1500 a month hardware add on. They tried banning a couple ip addresses and that did not work. They recommended prolexic.com but does anyone have any other advice?
When I had apache my server would die and you couldn't even SSH. Now I have Litespeed my site loads but SUPER SUPER slow.
Last night I was SYN Flooded with 125mbps. Though they consumed nearly all my bandwidth and I owe the DC tons of cash in bandwidth now. I managed to block Russia and the load halved to about 50 and the site was still functional but intermittent.
I have been running Deflate DDoS etc to block IPs.
I'm wondering if I get a load balancer with another box, would this fix my problems?
I heard you can modify the settings somewhere to identify syn attacks and auto block them.
My site is getting attacked since last couple of days and the attacker brings it down in 5-10 minutes.I have to restart the apache webserver to bring it back again until he strike again.
I am trying to secure it as much as possible using .htaccess,i am able to stop almost all the perl/php scripts etc but the last time the hacker attacked the site today,i see 100s of these entries in my logs:
Code: 71.181.220.147 - - [10/Oct/2007:21:44:44 -0700] "GET /templates/template/images/content.png HTTP/1.1" 200 510 [url] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: [url] .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; IEMB3; .NET CLR 2.0.50727; IEMB3)"
I would like to know what is this "Embedded Web Browser from: [url] and how can i block the hacker from running this using .htaccess?
My internet connection started cutting out and I found it strange, I presumed it was with my ISP and so I ignored it as they're pretty crap, then it carried on today so I did some investigation (Turned on error logging for my router) so I go ahead and wait, an hour later my internet connection cuts out, to the logs!
Am I correct in thinking there are multiple IP addresses "Attacking" my home network? If so, that's mighty strange and should I be worried?
I checked some of the IPs, most go to dedicateds around the world. One is a gameserver admin panel. Have these been hijacked and being used to "Attack" me?
I have a theory, be it probably wrong; The port number 28960 is used by Call of Duty 1 as the "default" port for a gameserver, and I play a lot of CoD1. Therefore, presumably, that port is open by our router, 28960, so somehow they've found this to be open and are "attacking" it. I'm not sure, but it seems possible, not sure why though.
192.168.1.103 is presumably ME on our subnet? Router is linksys
Is there a way to determine from monitoring the packets coming in to my IP address what domain on my server is being attacked? Something like Tcpdump maybe can tell me? Having DDoS trouble and I'm trying to identify the domain being hit.
This site has always been prone for attacks on it's servers. At the moment theres been a new owner and so things are not settled back down yet, How ever people are still atacking the site.
The hosting as far as i am aware has no software/hardware firewall i have tould the onwer but has not taken my advice.
This morning i woke up to find it was being attacked, so i went stright to SSH and started blocking them etc.
I was looking around for free Anti DOs tools and came across,
[url]
Seems good, I've only just installed so still need to see the effects.
One of my users posted this in the forum saying my server is scanning his computer. His this serious? Do I have virus? Should i be worried? Well i am kinda worried. I tried googling it, but i can't seem to figure the right keywords for a good result.
The attack is large enough now that the rules I've put in place aren't really helping much. Mod_evasive and mod_security are also installed, however this doesn't appear to be helping much either. The invalid user-agents hitting the site are filling up the max connections and then apache stops responding. I also tried raising the MaxClients in httpd.conf, however the vps then started hitting its memory limit.
I was on a shared plan and they moved me to a VPS same problem Host: urljet.com
I have had one host representative thats said "I think we could take care of you but you would have to use this plan with the firewalls"
We have 2 servers, one running Windows 2003 Enterprise that hosts a ColdFusion app, and one running Windows 2003 Standard that hosts our SQL database that is used by the CF app. Nothing else runs on them.
Does anyone have any suggestions for anti-virus products that we could use on these? I don't want one of those elaborate and expensive "suite" programs. I just need to protect the boxes.
I use Kaspersky on our individual machines, and I really don't care much for Norton anymore.
I've been trying to scour the internet trying to find out more information about this worm, but all I find are millions of sites that are infected with it.
If anyone has any information on this virus h**p://tejary.net/h.js
it looks like it has overwrited everything in the database - ..most of everything - seems like a type of sql injection script.
