my server got phisihing attack with bankamerica/paypal etc. i wounder because we have tight firewall/security etc. but any way this is teribel. i have found ip when look in to /var/log/messages -
its looks like (?@85.201.19.xxx). is it used anonymos ftp? i found same ip used to log in to another ftp host as well.
Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
I went today to my apache error log, and noticed that those scum lowlifes hackers trying to hack my server every day for at least 100 times!!!
What a disaster!
Examples of urls they trying to use: - http://usuarios.arnet.com.ar/larry123/safe.txt? - http://uploaded.justfree.com/id.txt? - http://nukedclx.info/php/base
Is there anything that can be done to prevent this mor*** from even trying to hack (except putting a bullet in his/their head)?
I think I'm experiencing some type of alternative to a DDoS attack. My server is being killed by thousands of emails being sent to fake accounts on my server.
I'm not a server administrator, so please bear with me.
My load average is skyrocking to 800.xx at times. I look at "top" and see "exim" for one specific user on my server. I own all the websites on my server, by the way.
When I look at my email queue, I see thousands of emails coming in to accounts that don't exist for that specific user. Let's say the domain name is salcollaziano.com. Somebody is sending spam to various salcollaziano.com aliases that don't exist. Like webmaster -at- salcollaziano.com and suzy -at- salcollaziano.com.
How can I prevent these spam emails from having any interaction with my server? It's causing me a lot of downtime on all the sites I have running on that particular server.
Not sure if it's a valid threat, but I would like to do the best I can to identify one as early as possible.
Can someone maybe give me an idea of what to look for? They were not specific on there type of attack, but I was hoping that there was maybe a log file I could tail and keep an eye out for irregularities.
My server (Xeon 3.0Ghz) went down for no reason yesterday and ever since it was rebooted (and I've rebooted a couple of times since then), pages load extremely slowly or just timeout. Server load is constantly hovering around 1 and top stats indicate that the server's resources are not under heavy load, which is contrary to the usual pattern during peak times.
I've checked netstat and I notice a lot of SYN_RECV. Could this be a DoS attack? If so, what steps do I take to stop it?
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.
I am on LiteSpeed. I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.
I am spending $420 a month on my hosting for my dedicated server Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.
basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
My site is being attacked by what appears to be a dictionary attack on my mail account. They are sending e-mails to random accounts at my domain from random e-mail accounts from somewhere else. Each of their messages is coming from a unique e-mail address and a unique IP address.
Now, we have some dictionary ACL installed that basically blocks any IP address that is caught doing this. So we are blocking tons of IP addresses, but they keep coming at us with new ones. We also have it setup so that the mail is rejected right away for any accounts that aren’t actual e-mail accounts of yours. However, they are hitting the server so hard that it doesn’t seem to be making any difference.
I have a client who's server has got DDOS attack. It causes the network disruption and DC wants to turn off the server. My client feels it stupid to turn off the server just like that.
Ever since Monday morning, my site has had problems because the server at my host is under attack.
Most of Monday my site was down. Then Monday late afternoon, it came back...I thought. The forum is up and running, but the rest of the site, built on WordPress, is screwy.
Most of the plugins aren't working because of inability to connect with the database.
I can't log in to my cPanel at all and haven't been able to since Sunday.
This is the first time I've experienced anything like this, lasting this long.
It has me wondering if I should start considering a new host. I have loved their service, especially their speedy support (native English speaking to boot) so I hate to leave but I'm not sure if their service is going a little downhill or not.
I have a question related DDOS attack. My hosting provider told me that my Server was DDos attacked few days ago. But in those days my server worked fine only apache server was down. The strange fact is that in the same day with this "DDOS attack" one of theyr admins worked something on SSL section of my server and during this operation the SSL hosts were down and httpd worked slow.
Inthe passed 3 months httpd worked very slow and after 2-3 restarts of httpd service the load droped down below 3.00 . I believe theyr httpd service was already with problems and that SSL configuration cause that apache failure in that day with "ddos attack"
I repeat in that day ONLY ssl hosts worked fine and non SSL hosts were down.
It's possibile on DDOS attack that load to be unde 0.5 , SSL hosts to work fine, FTP, Mail and other stuf to work like there is nobody on server (VERY FAST)?
on one my root server runs a DDOS attack, apparently from a Botnet, however all have the same Referer. Who can give me Tipps, how I can prevent the attacks? Preferably evenly stop over the Referer?
I'm sure that i have Trojans and Viruses on my Server but every time i contacted My Company they ask me to pay money and then they will check and scan my server
so is it any Free application which can scan and remove all bad files on my Server? i'm looking for free applications to scan the whole server
My server stop responding, I couldn't access via webmin or ssh, and DNS were not responding, so I have to ask for a reboot and now everything is fine.
Looking at the logs I found this:
Code: Jul 18 19:23:12 server sshd[18484]: Failed password for root from 61.145.196.117 port 56817 ssh2 Jul 18 19:23:12 server sshd[18485]: Failed password for root from 61.145.196.117 port 60227 ssh2 Jul 18 19:23:13 server sshd[18488]: Failed password for root from 61.145.196.117 port 38038 ssh2 Jul 18 19:23:15 server sshd[18493]: Failed password for root from 61.145.196.117 port 49884 ssh2 Jul 18 19:24:30 server sshd[18497]: Failed password for root from 61.145.196.117 port 37929 ssh2 Jul 18 19:25:06 server sshd[18521]: Did not receive identification string from 61.145.196.117 Jul 18 19:25:09 server sshd[18508]: Did not receive identification string from 61.145.196.117 Jul 18 19:25:14 server sshd[18505]: fatal: Timeout before authentication for UNKNOWN Jul 18 19:26:00 server sshd[18509]: Did not receive identification string from 61.145.196.117 And searching that IP on google I found it here: http://www.tcc.edu.tw/netbase/net/in...?fun=240&prd=3
And is flagged as a SSH Attack.
Any ideas why my server stopped working? and how to prevent it?
My site currently in prolong HTTP flood attack since 2 weeks ago. The attack was never stop and for this moment i could only mitigate the attack using my own firewall (hardware).
Since my ISP is not interested to help from upstream, even provide any mitigation services, i could only doing mitigation on my own source or using proxy services alternatively as well, but i've chose to tried on my own. I've tried once on one of well-known mitigation services out there but it seems not fully satisfied me since most of legitimate traffic is blocked from their source.
What i could do now is keep staying alive as well as will not going down on whatever situation becomes worst (but if the attack change to udp attack, i couldn't help myself coz there must be high incoming bandwidth into my network). My network is totaling 10MB last time but since this attack i've been forced to subscribe for 30MB in order to keep balance on the attack.
I've blocked all access except for my country and some other neighbours. If i change policy to allow all countries, the load of firewall will become max and after that hang will hang in less than a minute. I've done load balancing of 4 servers (8GB memory each one) and it seems the condition is getting under control with slight problem of server hang (memory shortage) and very limited keep alive connection.
Now what am i thinking is to buy a router objectively to null route incoming specific IP of countries so i can change my firewall policy to allow all connections as well as to help the firewall itself release its burden halting blocked IP that currently keep hitting itself that could might impact its performance.
Which brands of router is possible doing this thing?
Do you have some other suggestions instead of buying router?
i am just having one issue in one of my highly visited website hangibar.com, its being hosted in softlayer, we are facing synattack too much in this website.
the solution which microsoft given in their website related with tcp/ip registry entry but thing is same , some where and some connections become increases too much over tcp/ip. due to that reason website become very sticky and it stop functioning the execution of sql process, during this issue i have to restart the server to establish a fresh connection.