Hi guys,
I would really appreciate it if someone helps me solve a mystery. I have a Cobalt Raq3 and have noticed that in the pas one hour i have recieved 10 hits per second from this IP address 24.4.254.195. I don't know what this person is trying to do but he is visiting the same webpage (on my server) a thousand times and counting. Could you please tell me what to do about it and if it is a big danger.

Thanks in advance.

----------
added:
----------
This guy has been loading a webpage from my server for more than an hour now. Please help me block and secure my server from such attacks. I still have no clue as to why he is doing this and what he intends to do.

Open a telnet session and do the following:

1. /sbin/route add -host 24.4.254.195 reject

This will block the ip from your route table.

2. add the following line to your /etc/hosts.deny file:

ALL: 24.4.254.195

Using these two commands will block the IP from services...unfortunately I don't believe it will block port 80 webserver.

Maybe someone else might have some ideas?

I'll try that.


thanks

webbcite,
I followed your instructions but the http requests are still coming in.

Thanks

Please does any one else have a solution to this. And it is serious?

That IP resolves to proxy2-external.alntn1.tx.home.com
I would say it is a definite attack.

For now until you get better advice I would simply deny them by adding the following line to the htaccess file in the directory of the page they are requesting:
Deny from 24.4.254.195
It wont stop requests being made to the server but at least it wont hog the bandwidth because they will get a permission denied error instead of the page.

Then I would take a sample of the requests from the log file and send them to your hosting company and abuse@home.com

Check this out and also check the abuse e-mail:

http://www1.dshield.org/ipinfo.php?ip=24.4.254.195&Submit=Submit

I added this line to .htacces but does'nt block it
Deny from 24.4.254.195

is it supposed to be exactly like this?

Originally posted by arrty
I added this line to .htacces but does'nt block it
Deny from 24.4.254.195

is it supposed to be exactly like this?



How do you know its not getting blocked? If its working you should get something like "client denied by server configuration"
in your logs.

If its not working did you just create the .htaccess file or was one already there? If you just created it make sure its named .htaccess not htaccess

You should have something like this:

<Limit GET POST>
order allow,deny
deny from 24.4.254.195
allow from all
</Limit>

<Limit GET POST>
order allow,deny
deny from 24.4.254.195
allow from all
</Limit>

This does'nt work either

I have HumanClick monitor installed on each page so I can see in realtime who is at my website and which page.

check pm,

This guy is getting on my nerve now. He is going to use up all my bandwith. I need to block him asap.

please can someone tell me how to block the IP
24.4.254.195
Host: proxy2-external.alntn1.tx.home.com

You should use ipfwadm. I am not sure the exact command, but that should do it for you and allow you to block that IP.

Hope that helps!

arrty,

If you have not yet been able to block it, create your htaccess file like this:

# Access file
order allow,deny
Deny from XX.XX.XX.XX <<<<<<<<<<<<<<<< HIS IP HERE
allow from all

Make sure you save it as ".htaccess"

Also, if you entered the ip in the /etc/hosts.deny file, I think you will have to reboot the server for the changes to take effect. I am not sure though, but it might be worth rebooting.

Good luck :)

A call to HOME.COM's support/service/abuse number would be a good idea too. They get hurt by people like this too and if s/he is doing it to you chances are they're doing it to others. HOME.COM can likely check their logs and close the user account.

Thanks All,
You guys have been of great help. The problem is solved now and the requests stopped coming from this IP by itself. But the knowledge I have gained here will definately help me the next time such a problem occurs.

i think you are being DOSed by some body. May be that CODE RED worm attacking your system. let us all know if you get this attack again. :angry:

arrty, good to learn that you have solved your problem :)

as i am new with my raq3 server, may i know how you know/track that your server receivced those hits from the ip?

thanks a lot in advance for your reply :D

try

as root type

ipchains -A input -s 24.4.254.195 -d 0/0 1:65333 -p tcp -j REJECT

if it says command not found try

/sbin/ipchains -A input -s 24.4.254.195 -d 0/0 1:65333 -p tcp -j REJECT

Originally posted by neon202
May be that CODE RED worm attacking your system.

Damn code red has been trying my site for 4 days now :angry:

About 10 - 20 times a day avg.

Such a pity I'm hosted on linux

as i am new with my raq3 server, may i know how you know/track that your server receivced those hits from the ip?

noti,
I am a newbie myself and do not know exactly how to track if my server is being attacked. More than 60% of the sites on my server are my own and I have inserted the HumanClick Monitor on each page. This is how I found out about this. One of the webpages was constantly being loaded by the same IP so I got suspicious and posted here.
davidb tought me some tricks that you might want to research on. He told me a command 'tail'. You can tail the log file for the server to see the latest accesses to your server with their IP address. The problem is I could not find the log for the whole server but the logs for each site are located in /home/sites/siteXX/logs/ and the command will be:
tail /home/sites/siteXX/logs/web.log

thanks a lot arrty for your reply. i will definitely try out the tail command :)

noti,
check http://www.webhostingtalk.com/showthread.php?s=&threadid=8539&highlight=RBL

its very informative

for some reason humanclick and livehelper will still show the connections even if you ban the person, it's just wierd like that.