Server Is Being DDOS Attacked
Oct 22, 2007I see what IPs are attacking them? OS: CentOS
View 9 Replies
ADVERTISEMENT
Being Attacked - DDOS?
Nov 6, 2007OK well today I found out my server was being DDOS'ed
And I know which domain is being attacked with hundreds of IP's. I am running Cpanel / WHM but I have no idea how I can stop this?
Any ideas or suggestions? Maybe redirect the DNS? to a invalid ip? But I'm not sure how i can go about doing that?
Getting DDos Attacked
May 28, 2008All my websites are down because a Dos attack on port 80. Rackspace basically said they can't do anything to help me unless I want them to install a $1500 a month hardware add on. They tried banning a couple ip addresses and that did not work. They recommended prolexic.com but does anyone have any other advice?
View 14 Replies View RelatedHacked - DDos Attacked, Downtime 1 Week...
Aug 23, 2008The attack is large enough now that the rules I've put in place aren't really helping much. Mod_evasive and mod_security are also installed, however this doesn't appear to be helping much either. The invalid user-agents hitting the site are filling up the max connections and then apache stops responding. I also tried raising the MaxClients in httpd.conf, however the vps then started hitting its memory limit.
I was on a shared plan and they moved me to a VPS same problem
Host: urljet.com
I have had one host representative thats said "I think we could take care of you but you would have to use this plan with the firewalls"
www . liquidweb.com/cart/content/dedicated/Webmaster/Plan1
Server Is Being Attacked
Jul 1, 2009Server info:
Windows 2003 box
Dedicated server currently hosted at the planet.
Problem:
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url]
<scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c="[url]
document.writeln ("<script sr c="[url]
So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.
Web Server Has Been Attacked
Jul 1, 2009Server info:
Windows 2003 box
Dedicated server currently hosted at the planet.
Problem:
It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.
All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.
I tracked down the embed code that I found in most files appended to the end of each file.
Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...
<scRipT s rc=[url]
<scRipT sr c=[url]
Below shows up any any .js file (no spaces, just can't paste a url in here yet)...
document.writeln ("<script sr c=[url]
document.writeln ("<script sr c=[url]
So I got a script that opens up every file looking for this code and stripping it out.
Seemed to work at first, but now all the sites have been rewritten again..... and again.
So obviously something is overwriting this.
Server Is Being Attacked
Jun 20, 2007222.216.28.147 - - [20/Jun/2007:06:05:04 -0500] "GET [url]
(compatible; MSIE 6.0; Windows NT 5.0)"
172.131.255.237 - - [20/Jun/2007:04:41:06 -0500] "POST [url]
172.131.255.237 - - [20/Jun/2007:04:41:07 -0500] "CONNECT mx1.mail.yahoo.com:25 HTTP/1.0" 405 303 "-" "-"
Is My Server Being Attacked
Dec 25, 2008Is my server being attacked? Please help.
Is my server being attacked? Please help.
I'm using Linux RedHat el5. Recently, my server down almost at the same time everyday.
I try looking in /var/log/messages, it is flooded by this kind of message:
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=430 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=437 from=92.84.45.130
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=439 from=173.66.124.249
Dec 25 22:41:16 ls1 xinetd[3958]: START: smtp pid=440 from=173.66.124.249
Dec 25 22:41:24 ls1 kernel: ip_conntrack: table full, dropping packet.
From the log, at "from=xx.xx.xxx.xxx" are not all the same, but the same ip appeared for a while, then change to another.
I'm newbie to Linux, and donot quite understand what the this message is mean. Is this can be a cause that make my server down? Please suggest.
Server Being Attacked Via Http
Jun 1, 2007my friend's server is being attacked, the http processes shoots up causing the server load to go above 200 in minutes of starting httpd which causes server to die.
this is how the apache web server's access_log would log a normal http request;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /folder/name.gif HTTP/1.1" 200 877 [url]"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
------------------------------------------------------
Today when the http load increased we saw hundreds of following requests;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /? HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
------------------------------------------------------
You see the difference between a legitimate http access log entry and the above one is that the legitimate one shows the filename(GET /folder/name.gif) and domain name being requested whereas the second one shows ("GET /?")
Above requests continously originate from 30 to 40 different ip addresses. Most of them russian ips, and many form US and canada to.
When i do a grep "GET /?" in access log there are thousands of these which started just today.
I cannot block each ips because i feel they have hundreds of IPs to initiate these requests from.
My Limestone Server - Virus Attacked Or What?
Jul 23, 2009Alright guys - my server the past two weeks is just freaking ridiculous. It's a Core2Quad Q9300 2.5ghz server with 8gb of ram. It should be fast as hell. I can't move 20 e-mails in my mail client without the server grinding to a complete halt and httpd and mysql going unresponsive. Right now I'm just trying to copy a damned screen shot of the task manager performance tab and it's taking about 3 minutes to paste it - even though the CPU utilization is averaging only 20% at the moment and memory is only 2.5gb.
I restarted WAMP and now it seems to be running smoother. My Outpost firewall, though, didn't show too many connections to the server that it was maxing out.
Here's my ping responses just now while I was typing this - I was watching the firewall connections and I was only having like 60 connections to httpd, 20 connections to mysql, 5-10 to my SmarterTools mail server, and then my remote desktop connection. My network utilization got up to a whole 5% - so it's not that I have too many connections or something. Here's the ping responses:
C:Documents and SettingsBrian>ping mifbody.com -n 99
Pinging mifbody.com [216.245.195.146] with 32 bytes of data:
Reply from 216.245.195.146: bytes=32 time=70ms TTL=115
Reply from 216.245.195.146: bytes=32 time=73ms TTL=115
Reply from 216.245.195.146: bytes=32 time=81ms TTL=115
Reply from 216.245.195.146: bytes=32 time=78ms TTL=115
Reply from 216.245.195.146: bytes=32 time=71ms TTL=115 ....
Being Attacked What Can I Do
May 28, 2008From running smoothly to suddenly going to 900 write requests, my web server crashes.
I don't want to be asking the DC to restart my machine every minute.
They installed Squid which solved the load and seems to run smooth. But my script doesn't function properly as everything is cached.
I then put all my images/css etc on a lighttpd server which can handle all the requests without problems.
So now apache is only handling around 30 php requests per second. But will magically jump up to 600+.
The DC says I'm being syn flooded.
I have APF, deflate DDoS, etc. installed.
Anything else I can do?
If 1 Website Were To Get Attacked
Jun 29, 2009if i were to have 1 website get have a DDoS attack to it, would it knock out my server for a while, and can i recover the server by restarting it?
View 14 Replies View RelatedAttacked By Russia
Jun 11, 2008I have been consistently attacked by Russia.
When I had apache my server would die and you couldn't even SSH. Now I have Litespeed my site loads but SUPER SUPER slow.
Last night I was SYN Flooded with 125mbps. Though they consumed nearly all my bandwidth and I owe the DC tons of cash in bandwidth now. I managed to block Russia and the load halved to about 50 and the site was still functional but intermittent.
I have been running Deflate DDoS etc to block IPs.
I'm wondering if I get a load balancer with another box, would this fix my problems?
I heard you can modify the settings somewhere to identify syn attacks and auto block them.
Site Getting Attacked At Will
Oct 11, 2007My site is getting attacked since last couple of days and the attacker brings it down in 5-10 minutes.I have to restart the apache webserver to bring it back again until he strike again.
I am trying to secure it as much as possible using .htaccess,i am able to stop almost all the perl/php scripts etc but the last time the hacker attacked the site today,i see 100s of these entries in my logs:
Code:
71.181.220.147 - - [10/Oct/2007:21:44:44 -0700] "GET /templates/template/images/content.png HTTP/1.1" 200 510 [url] "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: [url] .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; IEMB3; .NET CLR 2.0.50727; IEMB3)"
I would like to know what is this "Embedded Web Browser from: [url] and how can i block the hacker from running this using .htaccess?
I'm Being DOS Attacked By A Gameserver Company!
Dec 20, 2008My internet connection started cutting out and I found it strange, I presumed it was with my ISP and so I ignored it as they're pretty crap, then it carried on today so I did some investigation (Turned on error logging for my router) so I go ahead and wait, an hour later my internet connection cuts out, to the logs!
Sat, 2008-12-20 22:01:38 - UDP Packet - Source:89.238.152.200,28960 Destination:192.168.1.103,28960 - [Firewall Log-DOS] ....
Am I correct in thinking there are multiple IP addresses "Attacking" my home network? If so, that's mighty strange and should I be worried?
I checked some of the IPs, most go to dedicateds around the world. One is a gameserver admin panel. Have these been hijacked and being used to "Attack" me?
I have a theory, be it probably wrong; The port number 28960 is used by Call of Duty 1 as the "default" port for a gameserver, and I play a lot of CoD1. Therefore, presumably, that port is open by our router, 28960, so somehow they've found this to be open and are "attacking" it. I'm not sure, but it seems possible, not sure why though.
192.168.1.103 is presumably ME on our subnet? Router is linksys
Identify What Domain Is Being Attacked
Mar 20, 2008Is there a way to determine from monitoring the packets coming in to my IP address what domain on my server is being attacked? Something like Tcpdump maybe can tell me? Having DDoS trouble and I'm trying to identify the domain being hit.
View 2 Replies View RelatedSite Being Attacked Hard
Jul 27, 2008I'm Tech admin at Fagex.net
This site has always been prone for attacks on it's servers. At the moment theres been a new owner and so things are not settled back down yet, How ever people are still atacking the site.
The hosting as far as i am aware has no software/hardware firewall i have tould the onwer but has not taken my advice.
This morning i woke up to find it was being attacked, so i went stright to SSH and started blocking them etc.
I was looking around for free Anti DOs tools and came across,
[url]
Seems good, I've only just installed so still need to see the effects.
I also added a block in to htacess which has
Quote:
<ifmodule mod_limitipconn.c>
<cocation />
Maxconnperip 3
NoIPlimit image/*
</location>
</ifmodule>
The server is a dedicated VPS, and the owner has two sites on which both are forums.
What can i do to protect the sites? What can i do to prevent them? What can i do to stop them.
Port Scan Attacked On Users
Apr 14, 2007[url]
[url]
One of my users posted this in the forum saying my server is scanning his computer. His this serious? Do I have virus? Should i be worried? Well i am kinda worried. I tried googling it, but i can't seem to figure the right keywords for a good result.
Being Ddos'd By A U.K Ddos Protection Company - Dragonara.net
Nov 7, 2008it's come under my attention that dragonara.net has been ddosing me today since morning from the ip:
194.8.75.229
What's so ironic about it is that the ip is from a UK DDOS protection site so i'm expecting some email with their services in the next hour or so. Stay clear of them they are fakes and e-terrorists.
Server Getting Ddos
Jul 29, 2006My server is getting ddossed everyday, all are at the same time -> 4 am since tuesday.
Cacti is showing 60~70mbit on that time.
Server 'crashed' on thursday (nearly 70mbit), it got back up but the ips (4 out of 5) were not working. Couldnt ping it. So I gave it a reboot and it worked again.
I used to get alot of Brute Force attacks, after I changed port and not allow root login etc etc on Monday, I dont get any attacks anymore ...
Is My Server Under Ddos
May 9, 2009yesterday untill now my vps is down many times. and i need restart it by hypervm to up it.
today i finde that my bw dicrease 100gb.
i don know whats problem going on.
i thibk that my server is under ddos, but csf.mode securety and apache status. they dont shoe me that i am under ddos
Server Under DDOS
Oct 23, 2008I have a box on LeaseWeb and it now under heavyfire dDos.
It is getting 100Mbps of incoming traffic. It still responsive under ssl and nginx still response.
My server is CentOS 5.
What the steps i should do? Contact my hosting? Installing a firewall?
DDOS :: Someone Is Trying To Attack Our Server
Jul 4, 2006Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
View 14 Replies View RelatedNeed A DDOS Protected Server
Oct 28, 2009Hello, I want to buy a dedicate server which support DDOS,ACK,SYN .....
I can provide 500usd most
My friend introduce dragonara.net for me, but they don't support world of warcraft website.
Can you introduce one similar with dragonara ?
You can see details of dragonara provide
dragonara.net/ddos-protection.html
protect from all types of DDoS, which can be
TCP SYN Flood
Tribe Flood Network and Tribe Flood Network 2000
TCP SYN-ACK Reflection Flood (DRDoS)
HTTP Flood Attack
ICMP Echo Request Flood
TCP ACK Flood
UDP Flood Attack
UDP Flood Attack (Trinoo)
Features of Dragonara DDoS Mitigation service* Up to 14 Gbit/s or 10,000,000 PPS ddos attack mitigation* Automatic attacks detection* Full transparency, no <click here to continue> links* Multi-Gigabit protection* SEO friendly* ALL TCP BASED PROTOCOLS SUPPORTED (HTTP, SSL, DNS, UDP protocol support)* Load Balancing to the Customer's Server Farm* Advertise your network block /prefix using BGP
Individual 10gb+ DDoS Protection Suite.Full Managed DDoS Protection with 100% uptime guarantee for Corporate clients.We use 95% burstable billing scheme.SLA agreement;1000 mbit/s included (can be upgraded);Web Caching Service (optional);10+ Gig Protection Available;Money Back Guarantee.
Available for Customers - using Dragonara Colocation services- with own remote DC infrastructure. Clean traffic sent using GRE / OpenVPN / IPSec tunnels.We use 95% burstable billing scheme.SLA agreement; 10+ Gig Protection Available;Money Back Guarantee.ASK / 24 hours setup
Server Was Hacked . DDOS
Jun 23, 2007My hosting provider will shut down my server because it was used by a hacker for DoS attacks.
((outging 2090kbits/sec, incoming 29kbits/sec )
Server got Freebsd 6.2 , apache 2.2, php4.4.7 ,ipfw installed
To be more specific, somehow the hacker can upload a script "udp.pl" into the /tmp directory and then execute it through "perl udp.pl".
The script "udp.pl" does mass flooding on the IP they specify.
The header of udp.pl code is attached at the bottom.
After I deleted "udp.pl"
secured /tmp (noexec,nosuid,rw)
chkrootkit/ rootkit hunter, Checked /etc/passwd for new users and users with UIDs of 0 other than root. Checked for the presence of SUID/SGID root files. nothing found.
installed mod_security2
installed Suhosin
Currently Still have lots of outgoing traffic via port 80 (outging 390kbits/sec, incoming 19kbits/sec )
find nothing suspicius process by using "lsof, top" .....
IRC Ddos Protected Server - US
Mar 20, 2008Budget: $120-175. Decent amount of IPs (32+ preferable)
Need it relatively soon.
GodsHost/Awknet is out of stock completely.
Staminus is out of stock except for $700 servers.
Gigeservers has a $150 setup fee that I don't really like, but if desperate, maybe.
Sharktech is **** and there is no way I will even consider them.
DDoS protected meaning nothing too large scale - I just need basic protection against 12 year olds that have pbots.
Any other ideas?
Server DDoS'ed, But How To Know Which Website?
Apr 14, 2009If my server is suffering an attack, how can i filter out and know which website exactly to isolate?
View 10 Replies View RelatedServer Getting Ddos Many Times
Oct 26, 2009i have windows 03 server getting ddosed many times. attack was upto 2gbit so any way to stop it?
Would a higher connection speed/bandwidth limit help? And about load balancing, would more servers help prevent the DDoS?
Is My Server Under DDOs Attack
Feb 2, 2008is this DDOs attack : .....
View 5 Replies View RelatedSoftlayer, My Server Is Under Ddos Attack
Jun 18, 2008my server is being ddosed and the network utilisation is at 40% of 1gpbs
i asked to softlayer to check and they said my programs/services is taking that much bandwidth
any1 can help me?
if my server is under dos attack wat can i do?
because the bandwidth used is about 50gb/hr
DDOS Deflate Block Server IP
Aug 4, 2009i have problem when using ddos deflate for ddos protection in my server,
i get this message,
Quote:
Banned the following ip addresses on Tue Aug 4 13:12:37 WIT 2009
67.21.44.60 with 4011 connections
ddos deflate is blocking my server ip, what's wrong?
: 67.21.44.60 not real my server ip just for sample
