Server Being Attacked Via Http
Jun 1, 2007
my friend's server is being attacked, the http processes shoots up causing the server load to go above 200 in minutes of starting httpd which causes server to die.
this is how the apache web server's access_log would log a normal http request;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /folder/name.gif HTTP/1.1" 200 877 [url]"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
------------------------------------------------------
Today when the http load increased we saw hundreds of following requests;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /? HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
------------------------------------------------------
You see the difference between a legitimate http access log entry and the above one is that the legitimate one shows the filename(GET /folder/name.gif) and domain name being requested whereas the second one shows ("GET /?")
Above requests continously originate from 30 to 40 different ip addresses. Most of them russian ips, and many form US and canada to.
When i do a grep "GET /?" in access log there are thousands of these which started just today.
I cannot block each ips because i feel they have hundreds of IPs to initiate these requests from.
View 14 Replies
ADVERTISEMENT
Jul 1, 2009
Server info:
Windows 2003 box
Dedicated server currently hosted at the planet.
Problem:
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url]
<scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c="[url]
document.writeln ("<script sr c="[url]
So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.
View 9 Replies
View Related
Jul 1, 2009
Server info:
Windows 2003 box
Dedicated server currently hosted at the planet.
Problem:
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url]
<scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c=[url]
document.writeln ("<script sr c=[url]
So I got a script that opens up every file looking for this code and stripping it out.
Seemed to work at first, but now all the sites have been rewritten again..... and again.
So obviously something is overwriting this.
View 7 Replies
View Related
Jun 20, 2007
222.216.28.147 - - [20/Jun/2007:06:05:04 -0500] "GET [url]
(compatible; MSIE 6.0; Windows NT 5.0)"
172.131.255.237 - - [20/Jun/2007:04:41:06 -0500] "POST [url]
172.131.255.237 - - [20/Jun/2007:04:41:07 -0500] "CONNECT mx1.mail.yahoo.com:25 HTTP/1.0" 405 303 "-" "-"
View 1 Replies
View Related
Dec 25, 2008
Is my server being attacked? Please help.
Is my server being attacked? Please help.
I'm using Linux RedHat el5. Recently, my server down almost at the same time everyday.
I try looking in /var/log/messages, it is flooded by this kind of message:
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=430 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=437 from=92.84.45.130
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=439 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=440 from=173.66.124.249
Dec 25 22:41:24 ls1 kernel: ip_conntrack: table full, dropping packet.
From the log, at "from=xx.xx.xxx.xxx" are not all the same, but the same ip appeared for a while, then change to another.
I'm newbie to Linux, and donot quite understand what the this message is mean. Is this can be a cause that make my server down? Please suggest.
View 7 Replies
View Related
Oct 22, 2007
I see what IPs are attacking them? OS: CentOS
View 9 Replies
View Related
Jul 23, 2009
Alright guys - my server the past two weeks is just freaking ridiculous. It's a Core2Quad Q9300 2.5ghz server with 8gb of ram. It should be fast as hell. I can't move 20 e-mails in my mail client without the server grinding to a complete halt and httpd and mysql going unresponsive. Right now I'm just trying to copy a damned screen shot of the task manager performance tab and it's taking about 3 minutes to paste it - even though the CPU utilization is averaging only 20% at the moment and memory is only 2.5gb.
I restarted WAMP and now it seems to be running smoother. My Outpost firewall, though, didn't show too many connections to the server that it was maxing out.
Here's my ping responses just now while I was typing this - I was watching the firewall connections and I was only having like 60 connections to httpd, 20 connections to mysql, 5-10 to my SmarterTools mail server, and then my remote desktop connection. My network utilization got up to a whole 5% - so it's not that I have too many connections or something. Here's the ping responses:
C:Documents and SettingsBrian>ping mifbody.com -n 99
Pinging mifbody.com [216.245.195.146] with 32 bytes of data:
Reply from 216.245.195.146: bytes=32 time=70ms TTL=115
Reply from 216.245.195.146: bytes=32 time=73ms TTL=115
Reply from 216.245.195.146: bytes=32 time=81ms TTL=115
Reply from 216.245.195.146: bytes=32 time=78ms TTL=115
Reply from 216.245.195.146: bytes=32 time=71ms TTL=115 ....
View 7 Replies
View Related
May 28, 2008
From running smoothly to suddenly going to 900 write requests, my web server crashes.
I don't want to be asking the DC to restart my machine every minute.
They installed Squid which solved the load and seems to run smooth. But my script doesn't function properly as everything is cached.
I then put all my images/css etc on a lighttpd server which can handle all the requests without problems.
So now apache is only handling around 30 php requests per second. But will magically jump up to 600+.
The DC says I'm being syn flooded.
I have APF, deflate DDoS, etc. installed.
Anything else I can do?
View 6 Replies
View Related
Nov 6, 2007
OK well today I found out my server was being DDOS'ed
And I know which domain is being attacked with hundreds of IP's. I am running Cpanel / WHM but I have no idea how I can stop this?
Any ideas or suggestions? Maybe redirect the DNS? to a invalid ip? But I'm not sure how i can go about doing that?
View 9 Replies
View Related
Jun 29, 2009
if i were to have 1 website get have a DDoS attack to it, would it knock out my server for a while, and can i recover the server by restarting it?
View 14 Replies
View Related
May 28, 2008
All my websites are down because a Dos attack on port 80. Rackspace basically said they can't do anything to help me unless I want them to install a $1500 a month hardware add on. They tried banning a couple ip addresses and that did not work. They recommended prolexic.com but does anyone have any other advice?
View 14 Replies
View Related
Jun 11, 2008
I have been consistently attacked by Russia.
When I had apache my server would die and you couldn't even SSH. Now I have Litespeed my site loads but SUPER SUPER slow.
Last night I was SYN Flooded with 125mbps. Though they consumed nearly all my bandwidth and I owe the DC tons of cash in bandwidth now. I managed to block Russia and the load halved to about 50 and the site was still functional but intermittent.
I have been running Deflate DDoS etc to block IPs.
I'm wondering if I get a load balancer with another box, would this fix my problems?
I heard you can modify the settings somewhere to identify syn attacks and auto block them.
View 3 Replies
View Related
Oct 11, 2007
My site is getting attacked since last couple of days and the attacker brings it down in 5-10 minutes.I have to restart the apache webserver to bring it back again until he strike again.
I am trying to secure it as much as possible using .htaccess,i am able to stop almost all the perl/php scripts etc but the last time the hacker attacked the site today,i see 100s of these entries in my logs:
Code:
71.181.220.147 - - [10/Oct/2007:21:44:44 -0700] "GET /templates/template/images/content.png HTTP/1.1" 200 510 [url] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: [url] .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; IEMB3; .NET CLR 2.0.50727; IEMB3)"
I would like to know what is this "Embedded Web Browser from: [url] and how can i block the hacker from running this using .htaccess?
View 10 Replies
View Related
Dec 20, 2008
My internet connection started cutting out and I found it strange, I presumed it was with my ISP and so I ignored it as they're pretty crap, then it carried on today so I did some investigation (Turned on error logging for my router) so I go ahead and wait, an hour later my internet connection cuts out, to the logs!
Sat, 2008-12-20 22:01:38 - UDP Packet - Source:89.238.152.200,28960 Destination:192.168.1.103,28960 - [Firewall Log-DOS] ....
Am I correct in thinking there are multiple IP addresses "Attacking" my home network? If so, that's mighty strange and should I be worried?
I checked some of the IPs, most go to dedicateds around the world. One is a gameserver admin panel. Have these been hijacked and being used to "Attack" me?
I have a theory, be it probably wrong; The port number 28960 is used by Call of Duty 1 as the "default" port for a gameserver, and I play a lot of CoD1. Therefore, presumably, that port is open by our router, 28960, so somehow they've found this to be open and are "attacking" it. I'm not sure, but it seems possible, not sure why though.
192.168.1.103 is presumably ME on our subnet? Router is linksys
View 10 Replies
View Related
Mar 20, 2008
Is there a way to determine from monitoring the packets coming in to my IP address what domain on my server is being attacked? Something like Tcpdump maybe can tell me? Having DDoS trouble and I'm trying to identify the domain being hit.
View 2 Replies
View Related
Jul 27, 2008
I'm Tech admin at Fagex.net
This site has always been prone for attacks on it's servers. At the moment theres been a new owner and so things are not settled back down yet, How ever people are still atacking the site.
The hosting as far as i am aware has no software/hardware firewall i have tould the onwer but has not taken my advice.
This morning i woke up to find it was being attacked, so i went stright to SSH and started blocking them etc.
I was looking around for free Anti DOs tools and came across,
[url]
Seems good, I've only just installed so still need to see the effects.
I also added a block in to htacess which has
Quote:
<ifmodule mod_limitipconn.c>
<cocation />
Maxconnperip 3
NoIPlimit image/*
</location>
</ifmodule>
The server is a dedicated VPS, and the owner has two sites on which both are forums.
What can i do to protect the sites? What can i do to prevent them? What can i do to stop them.
View 12 Replies
View Related
Apr 14, 2007
[url]
[url]
One of my users posted this in the forum saying my server is scanning his computer. His this serious? Do I have virus? Should i be worried? Well i am kinda worried. I tried googling it, but i can't seem to figure the right keywords for a good result.
View 4 Replies
View Related
Oct 21, 2007
I am trying to install a FTP Server in my computer so that I can simply login into my own computer to grab important files at work... since carrying laptop and loosing flash drives are becoming annoying .
In my home computer I have Linksys Router, and Verizon as my ISP (blocks port 80, 21 I believe).
Since Verizon blocks those ports the configuration has become a nightmare.
Using BulletProof FTP Server I made the FTP Server listen to port 5000. And in my router's forwarding section I opened the port 5000, and made it listen to 192.168.1.100 (Port Range Forwarding, TCP UDP both).
I did the same for my Apache server and made it to work with port 443.
When I access [url] the web server loads up fine.
But when I try [url] it doesn't load up, where 1.2.3.4 is my IP.
When I visit just my IP in the web browser, it loads up the Router Configuration page.
And the FTP server doesn't connect when I try with the
View 1 Replies
View Related
Aug 23, 2008
The attack is large enough now that the rules I've put in place aren't really helping much. Mod_evasive and mod_security are also installed, however this doesn't appear to be helping much either. The invalid user-agents hitting the site are filling up the max connections and then apache stops responding. I also tried raising the MaxClients in httpd.conf, however the vps then started hitting its memory limit.
I was on a shared plan and they moved me to a VPS same problem
Host: urljet.com
I have had one host representative thats said "I think we could take care of you but you would have to use this plan with the firewalls"
www . liquidweb.com/cart/content/dedicated/Webmaster/Plan1
View 14 Replies
View Related
Aug 1, 2009
If i put domain.com on uptime checker,and downtime is detected,downtime will be reported if dns is down or if http server is down.So question is what i need to do to see what exactly went down?For network uptime i can ping ip adress,but for these two i really don't know.
View 3 Replies
View Related
May 11, 2009
I need to find out what would be the best software to run an image website for one of my clients, there is only one domain so I've considered using LiteSpeed Standard (Free)... What server do you think would be the best?
All I need is PHP support for the image viewer software.
Apache
Lighttpd
LiteSpeed
nginx
View 14 Replies
View Related
Mar 10, 2008
I've setup a dedicated server that is currently running with a domain bound to it. However this time I want to setup a centos 5.1 + latest apache 2 + bind 9 server that can only be connected to by IP address and doesn't have a domain name. So what do I need to modify in the below files to do so:
First of all will I even need bind at all? I already have it setup and (mis-)configured but I guess if I don't need it I can just take if off of autostart and stop the process "named".
Named.conf
options {
pid-file "/var/named/chroot/var/run/named/named.pid";
directory "/var/named/chroot/var/named";
query-source address * port 53;
allow-query { any; };
allow-transfer { };
recursion no;
notify no;
version "unknown";
};
logging {
category default { null; };
};
zone "server.domain.com" { type master; file "server.domain.com.db"; };
I don't even want the zone have domain.com in its name but that's just there so I could show you how I'd include server.domain.com.db.
server.domain.com.db
$TTL 14400
@ IN SOA ns1.domain.com. root.server.domain.com. (
2007052503
14400
3600
1209600
86400 )
server.domain.com. 14400 IN NS ns1.domain.com.
server.domain.com. 14400 IN NS ns2.domain.com.
localhost 14400 IN A 127.0.0.1
www 14400 IN A 78.129.174.164
I'm not sure what to do about those references to domain.com here, they shouldn't be needed but without them I don't know what to put here. ^^
Obviously I can't use those nameservers...
resolv.conf
nameserver 127.0.0.1
nameserver 78.129.143.155
nameserver 87.117.198.200
nameserver 87.117.196.200
The only thing missing from this file is "search domain.com" at the top, is that needed even though I won't really have any domains used by this server?
/etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail ....
View 7 Replies
View Related
Jun 28, 2007
SO the last few months I been trying like crazy to tweak Apache or find a better http setup such as running lighttpd with Apache, etc. I have been frustrated by the way Apache easily fork bombs under any decent load or dos attack. You get about 100 bots all making 30+ connections a piece on Apache and it kills it.
Bot kids have adapted to ddos protection and connection flooding banning by sending low bandwidth attacks that do not make enough connections to get banned if you do have protection, its real low bandwidth incoming but is like a massive vampire attack outgoing. And it destroys Apache no matter what you do, what modules you have, etc. You basically have to go in and manually ban or set your connection tracking limit down to where it starts banning regular users too.
So I seen on here somewhere someone recommending litespeed to someone so I went and checked it out and was amazed by the performance. I installed the trial enterprise in a p4 server I been having problems out of lately crashing all because a busy site and I installed it in my main server.
The only thing I needed to do was compile my own php5 for it, which is real easy via their wiki instruction. After a few snags here in there I finally got it working tip top on both servers, both of which are cpanel.
So with the p4 that was always crashing and keeping hi load, We would end up having to remote reboot that box almost once a week not due to any misconfiguration or wrong setup, just couldnt take all that Apache usage and would die. We instantly noticed a difference with litespeed. The average load used to be about 1-2 always, with litespeed the average stayed about ..2 even under heavy traffic. So this was a big improvement and we have not had to reboot that box since.
My main server which I take my high risk clients on, core2duo 2.4. I thought there for a Lil bit the sites were starting to outgrow the server as its average load always was around 1 which was fairly acceptable seeing the traffic it gets so normal for Apache.
During the low bandwidth ddos attacks I would have to go in and manually ban as well as setting connection limit way down just to keep it from lagging, most of the time it still did. So I was really wanting to do something for this server to optimize http without upgrading, because it seems most of your hardware upgrades are to suit Apache anyway.
So I installed litespeed on my main server, ran into a few snags here and there but eventually got it under control. Just the last few days I got to see it put to the test.
I took on a client who was being extorted by a ddoser who recently got him kicked off his previous host. SO as soon as dns resolves here comes the crapstorm. A low bandwidth http attack, a lot got by ddos firewall on the network level which these are hard to stop because they are so similar to a legit user.
So I started getting hundreds of csf connection tracking blocked emails, was checking the site periodically and it loaded fine. So I logged in the box, looked at the load.
Was at .24. When I done netstat command there was hundreds of syns coming in and about 250 ips all connected about 50 times, this would normally kill Apache no matter what CPU/ram and all that you have. So I set connection tracking down to a reasonable level, 60 connections and I figured I would just let them get themselves banned. Looking in the live stats in the litespeed admin panel which is real cool BTW. I was seeing about 400 requests a second. This was eating a Lil bandwidth, all outgoing as that is how the attack works like a massive vamp attack. So about 2000 connection tracking emails later finally gets em all banned. The entire time the load on that box never even got to 1!
So im pretty much amazed how fast and light this http server is. And especially how well it handles dos. I about know for a fact even if you was on a non protected network it could handle as much http as your pipe will give it, and do all this at a low resource load.
This will end up saving me money on hardware upgrades in the future as well. Long review, long story, but I been so amazed by this http server I had to make a review on it. Im sure some geniouses will try to say "If you do this and that with apache you can make it just as good" But check it out for yourselves and see.
View 14 Replies
View Related
Oct 8, 2007
There seems to be some problem with my server, none of the websites hosted on my server are accessible, the http requests either return a blank page or a page with a red quare on the upper left hand corner.
I am not sure if this is some kind of infection or DNS problem or a problem with memory apache is taking up
as i have thousands of virtualhost entries in my access log accumulated over the years out of which only a few 100 websites i am serving presently, but never deleted the non-exitent virtualhost blocks.
At times the websites are opening but most of the times they are not. And when they do not open my http requets are not logged in apacha access log.
Even the customers have reported the same problem.
Also, just four days back i had a strange issue where all
http requests to my server would take me to [url].
I can SSH to server, and everything else is working fine.
View 3 Replies
View Related
Aug 29, 2007
tried to download files from http links to my ftp server. i looked all over the forums but could not find any services. google spitted out this one. [url]Well, it really does help to upload http links to an ftp server and move files from one ftp server to another. does anyone know other services or free scripts that help to do this?
View 0 Replies
View Related
Mar 15, 2007
I'm using IIS v5.1 on WinXP SP1 and I encountered this error (Page cannot be displayed.....HTTP 500 - internal server error) all of a sudden. now, i've been using my Web server with no hitches, but now I can't open any pages on the server that run server side scripts so i reinstalled it and still get the same "Page cannot be displayed" or I get part of the source code for the server side script. Pinging the server shows that its ok, it replies. and regular pages with no scripts still run with the http protocol in the address. Any ideas on how to get past this problem?
View 2 Replies
View Related
Jun 27, 2013
its possible to do a P2V migration of a Apache http server 2.2
Present environment:
Windows 2003
Apache http server 2.0.63
There are 2 webservers (running Apache) for load balancing. The backend server runs an application which uses an oracle database. Is a P2V migration of the web servers possible?
View 2 Replies
View Related
Sep 22, 2009
I installed apache, mysql, php on my windows vista laptop, and want to test http downloading. This means when selecting a file (for example, contact.php) from a page, and then click download, it will be downloaded to my desktop.
Do we need to install any other softwares to do that?
View 10 Replies
View Related
Jun 16, 2009
I have done this with .htaccess on apche but I am looking to do HTTP to HTTPS redirect for all requests on Zeus server using rewite.script
what I want basically is that all request to [url]goes to [url]
View 0 Replies
View Related
Nov 26, 2008
to display the server load average through HTTP. How may I do that?
Please note that I have all insecure functions disabled, such as exec, system, etc... But I have root access.
View 11 Replies
View Related
Jun 13, 2008
I have a Linux server running some reasonable setups:
Opteron 180, 4 GB RAM, running 8x 36gb 15k scsi with hardware raid 10 -- this is one of the servers from WebNX advertised here not long ago
Running CentOS 4(?), Apache2/MySql 4/PHP5.2, the normal stuff.
I have only one main site on the server, which runs a pretty old PostNuke CMS in Chinese (0.7.2.3 Phoenix) + PNphpBB2 + Gallery 1.5.7 (all integrated into PostNuke). This site is pretty light in "human" traffic, getting about 20K hits per day.
Now, the problem I have noticed with this site, is related to the many MP3 files stored in the Gallery albums. There are lots of HTTP requests to these files, most maybe from Chinese search engine bots (judging from IP), that slows the server to a crawl and even crashes Apache. This happens in the late hours here when it's day time in China. As a matter of fact I just did a reboot, and in 5 minutes there are more than 1000 HTTP requests to MP3 files resulting in a traffic of 2.1+ Gb. So within minutes, the server is brought to its knees again and I can't even get the "apache status" from CPanel now: "Unable to retrieve apache status".
The company that manages the server for me said there's no security problem here. We have installed an Apache extension to limit the number of simultaneous requests to media files to 1. However that doesn't seem to help.
View 6 Replies
View Related
