Results 1 to 21 of 21
  1. #1

    whats your openion about this attack?

    hi dear professionals
    i have a problem in my server
    one site in my server was under ddos attack. somthing like flood. and after that i block his ips and defend server from down
    but now i think he attack on mysql. but i cant know how can i defend about this. i limit mysql general connection to 100 but i dont know why connection of mysql sho big ammount:
    # mysql> show status like '%onn%';
    +--------------------------+--------+
    | Variable_name | Value |
    +--------------------------+--------+
    | Aborted_connects | 20 |
    | Connections | 327310 |
    | Max_used_connections | 43 |
    | Ssl_client_connects | 0 |
    | Ssl_connect_renegotiates | 0 |
    | Ssl_finished_connects | 0 |
    | Threads_connected | 11 |
    +--------------------------+--------+

    and also my top show:

    top - 16:38:41 up 15:27, 1 user, load average: 98.00, 41.62, 29.77
    Tasks: 433 total, 143 running, 286 sleeping, 4 stopped, 0 zombie
    Cpu(s): 85.5%us, 5.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 9.2%si, 0.0%st
    Mem: 8013668k total, 7864068k used, 149600k free, 1478264k buffers
    Swap: 0k total, 0k used, 0k free, 2931736k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    591948 mysql 20 0 3223m 417m 5640 S 16.9 5.3 7:41.84 mysqld
    573716 nobody 20 0 80300 51m 964 S 4.5 0.7 2:47.57 nginx
    1827 varnish 20 0 7527m 404m 88m S 3.4 5.2 27:54.11 varnishd
    606246 nobody 20 0 99628 15m 2984 R 3.4 0.2 0:03.38 httpd
    607638 nobody 20 0 99388 14m 2212 R 3.4 0.2 0:03.71 httpd
    607646 nobody 20 0 99388 14m 2212 R 3.4 0.2 0:04.37 httpd
    607665 nobody 20 0 99388 14m 2188 R 3.4 0.2 0:03.68 httpd
    607666 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.64 httpd
    607670 nobody 20 0 99388 14m 2196 R 3.4 0.2 0:01.78 httpd
    607681 nobody 20 0 99388 13m 2144 R 3.4 0.2 0:03.61 httpd
    607682 nobody 20 0 99388 14m 2200 R 3.4 0.2 0:02.09 httpd
    607683 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.52 httpd
    607684 nobody 20 0 99388 14m 2232 R 3.4 0.2 0:03.40 httpd
    607685 nobody 20 0 99388 14m 2196 R 3.4 0.2 0:01.59 httpd
    607688 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.65 httpd
    607691 nobody 20 0 99420 14m 2232 R 3.4 0.2 0:01.45 httpd
    607693 nobody 20 0 99388 14m 2260 R 3.4 0.2 0:01.33 httpd




    /usr/local/apache/bin/httpd -k start -DSSL
    this process increase load of server + mysql

    in your idea what is this attack and how can i stop this attack?

  2. #2
    Join Date
    Jul 2013
    Posts
    296
    mysql load is due to load in httpd, he targeted your http port.

  3. #3
    You can block the DoS using Haproxy infront of your webserver.

    So haproxy can block all of the bad traffic from hitting http.
    Last edited by davywavy; 12-07-2013 at 09:26 AM.

  4. #4
    Join Date
    Jul 2013
    Posts
    296
    Quote Originally Posted by davywavy View Post
    Email me dj4172464@gmail.com

    I have a solution for you that will stop the Attacks. I cannot PM you not sure why.
    if you have any solution, it is better to put here. what solution do you have with 4 posts ?

  5. #5
    Quote Originally Posted by Genius Guard View Post
    mysql load is due to load in httpd, he targeted your http port.
    Whats your solution dear?

  6. #6
    Join Date
    Jul 2013
    Posts
    296
    do you have CSF ?

  7. #7
    Quote Originally Posted by Genius Guard View Post
    do you have CSF ?
    Yes my dear

  8. #8
    Join Date
    Jul 2013
    Posts
    296
    let me know the result of following commands:
    netstat -n -p|grep SYN_REC | wc -l
    and
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

  9. #9
    Quote Originally Posted by Genius Guard View Post
    if you have any solution, it is better to put here. what solution do you have with 4 posts ?
    I posted my solution to his issue above. Edited the post.

    Just cannot post the configurations required. As I need to dig them out from my HDD.

  10. #10
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    Please post the last 10-20 lines of your access logs. This looks like a HTTP flood. Most likely you'll be able to block it with fail2ban using a custom regexp which matches the malicious requests that you find in your access logs. It's possible to do the same with LFD for instance. Depending on the attack type, you might also be able to block it with iptables string matching (howto here). Furthermore you should make sure to use syncookies and short timeouts and ACK retries in your sysctl.conf, such as:

    Code:
    net.netfilter.nf_conntrack_max = 10000000
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_max_syn_backlog = 262144
    net.ipv4.tcp_fin_timeout = 5
    Furthermore you can try SYN Deflate and BARF.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  11. #11
    Quote Originally Posted by Genius Guard View Post
    netstat -n -p|grep SYN_REC | wc -l
    ]# netstat -n -p|grep SYN_REC | wc -l
    48

    and

    Quote Originally Posted by Genius Guard View Post
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
    7 173.245.62.212
    7 173.245.62.66
    7 176.12.64.224
    7 2.176.203.11
    8 108.162.208.18
    8 108.162.208.42
    8 108.162.212.150
    8 108.162.212.156
    8 108.162.212.166
    8 108.162.212.177
    8 108.162.215.242
    8 108.162.221.212
    8 108.162.222.214
    8 108.162.222.58
    8 108.162.231.218
    8 108.162.231.226
    8 108.162.231.47
    8 108.162.231.59
    8 108.162.254.12
    8 173.245.48.104
    8 173.245.48.93
    8 173.245.49.215
    8 173.245.51.214
    8 173.245.53.105
    8 173.245.53.128
    8 173.245.56.153
    8 2.145.171.138
    8 5.152.205.58
    9 108.162.208.38
    9 108.162.210.210
    9 108.162.210.233
    9 108.162.212.167
    9 108.162.212.182
    9 108.162.215.231
    9 108.162.222.35
    9 108.162.222.46
    9 108.162.222.59
    9 108.162.226.16
    9 141.101.98.130
    9 141.101.98.164
    9 141.101.99.161
    9 173.245.48.128
    9 173.245.51.231
    9 173.245.51.60
    9 173.245.51.67
    9 173.245.53.129
    9 173.245.54.164
    9 173.245.54.179
    9 173.245.56.154
    9 173.245.56.196
    9 173.245.56.199
    9 199.27.128.130
    9 78.39.25.153
    10 108.162.208.26
    10 108.162.208.37
    10 108.162.210.199
    10 108.162.210.236
    10 108.162.210.240
    10 108.162.212.148
    10 108.162.212.163
    10 108.162.212.26
    10 108.162.212.74
    10 108.162.215.193
    10 108.162.215.246
    10 108.162.226.220
    10 141.101.99.138
    10 173.245.48.120
    10 173.245.48.72
    10 173.245.51.218
    10 173.245.56.170
    10 95.81.81.114
    11 108.162.208.16
    11 108.162.210.226
    11 108.162.212.170
    11 108.162.215.241
    11 108.162.231.213
    11 141.101.98.157
    11 173.245.48.110
    11 173.245.48.126
    11 173.245.48.87
    11 173.245.52.125
    11 173.245.52.155
    11 173.245.53.102
    11 199.27.128.88
    11 79.127.117.77
    12 108.162.208.24
    12 108.162.212.98
    12 108.162.219.174
    12 108.162.222.38
    12 141.101.99.111
    12 141.101.99.135
    12 141.101.99.165
    12 173.245.48.122
    12 173.245.48.99
    12 173.245.53.68
    12 173.245.53.84
    13 108.162.210.203
    13 108.162.212.155
    13 108.162.215.249
    13 108.162.231.58
    13 173.245.48.134
    13 173.245.49.238
    13 173.245.51.220
    13 173.245.53.89
    13 173.245.54.155
    13 173.245.54.188
    13 188.34.187.111
    13 2.191.2.225
    14 108.162.208.17
    14 108.162.208.40
    14 108.162.212.154
    14 108.162.212.168
    14 108.162.212.243
    14 108.162.216.35
    14 108.162.221.230
    14 108.162.222.47
    14 108.162.254.37
    14 141.101.98.138
    14 173.245.48.124
    14 173.245.48.133
    14 173.245.53.124
    15 108.162.208.31
    15 108.162.210.205
    15 108.162.210.223
    15 108.162.212.175
    15 108.162.212.187
    15 108.162.215.228
    15 108.162.215.244
    15 108.162.215.247
    15 108.162.222.65
    15 141.101.99.125
    15 173.245.48.79
    15 173.245.48.84
    15 173.245.62.226
    16 108.162.208.6
    16 108.162.210.208
    16 108.162.222.34
    16 108.162.231.46
    16 173.245.48.65
    16 173.245.48.75
    16 173.245.53.99
    16 173.245.62.218
    17 108.162.208.22
    17 108.162.212.151
    17 108.162.231.35
    17 141.101.99.136
    18 108.162.208.20
    18 108.162.210.200
    18 108.162.212.231
    18 108.162.215.250
    18 108.162.231.225
    18 141.101.98.152
    19 108.162.208.14
    19 108.162.208.21
    19 108.162.208.5
    19 108.162.210.232
    19 108.162.210.234
    19 108.162.212.149
    19 108.162.212.152
    19 108.162.212.194
    19 141.101.98.166
    19 173.245.48.114
    19 173.245.48.130
    19 173.245.48.70
    19 173.245.48.82
    19 173.245.54.208
    20 108.162.212.174
    20 108.162.212.193
    20 108.162.231.220
    20 141.101.99.152
    21 108.162.208.13
    21 108.162.208.23
    21 108.162.208.9
    21 108.162.212.186
    21 108.162.212.207
    21 108.162.221.46
    21 141.101.99.168
    21 173.245.48.103
    21 173.245.48.88
    22 108.162.208.36
    22 108.162.222.48
    22 141.101.99.150
    22 173.245.48.80
    23 108.162.210.227
    23 108.162.222.36
    23 108.162.222.61
    23 173.245.48.125
    24 108.162.210.197
    24 108.162.210.224
    24 173.245.48.101
    25 108.162.212.181
    25 108.162.215.230
    25 108.162.215.232
    25 173.245.48.100
    26 108.162.208.4
    26 108.162.208.7
    27 141.101.99.169
    27 173.245.48.92
    27 173.245.62.61
    28 108.162.208.35
    28 108.162.210.212
    28 108.162.212.178
    29 108.162.210.242
    29 108.162.222.213
    29 173.245.48.106
    29 173.245.48.73
    30 108.162.222.51
    30 108.162.231.65
    30 141.101.98.129
    30 173.245.48.102
    30 173.245.48.113
    30 173.245.48.83
    30 173.245.62.219
    30 199.27.130.216
    31 108.162.208.11
    31 108.162.210.230
    31 108.162.215.229
    31 173.245.48.74
    31 173.245.51.66
    32 108.162.212.185
    32 173.245.48.107
    32 173.245.48.121
    32 173.245.48.71
    34 173.245.48.129
    35 108.162.212.162
    35 173.245.48.81
    36 108.162.208.15
    36 151.233.222.8
    38 108.162.208.32
    38 108.162.215.248
    38 141.101.98.170
    39 108.162.212.189
    39 173.245.48.119
    41 108.162.208.12
    42 108.162.212.153
    47 108.162.208.25
    48 173.245.48.96
    52 108.162.208.43
    56 108.162.210.221
    64 108.162.208.41
    67 173.245.48.61
    80 108.162.222.67

    Quote Originally Posted by davywavy View Post
    I posted my solution to his issue above. Edited the post.

    Just cannot post the configurations required. As I need to dig them out from my HDD.
    could you please help me how can i install this on my server?


    Quote Originally Posted by infinitnet View Post
    Please post the last 10-20 lines of your access logs. This looks like a HTTP flood. Most likely you'll be able to block it with fail2ban using a custom regexp which matches the malicious requests that you find in your access logs. It's possible to do the same with LFD for instance. Depending on the attack type, you might also be able to block it with iptables string matching (howto here. Furthermore you should make sure to use syncookies and short timeouts and ACK retries in your sysctl.conf, such as:

    net.netfilter.nf_conntrack_max = 10000000
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_max_syn_backlog = 262144
    net.ipv4.tcp_fin_timeout = 5
    Furthermore you can try SYN Deflate and BARF
    i installed file2ban. how can i configure it?
    and i set syncookies and short timeouts and ACK retries in my sysctl.conf as you said.

    my panel is cpanel. can you say which access file do you need?

  12. #12
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    The access logs of the domain which is under attack: http://docs.cpanel.net/twiki/bin/vie.../RawAccessLogs

    I need the access logs before I can write a fail2ban regex to match/block the flood.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  13. #13
    because the size of access log i attach that in email and send it for you.
    thanks for your corporation dear

  14. #14
    i also limit mysql connection of this site database with this method
    mysql> CREATE USER 'francis'@'localhost' IDENTIFIED BY 'frank';
    mysql> GRANT ALL ON customer.* TO 'francis'@'localhost'
    -> WITH MAX_QUERIES_PER_HOUR 20
    -> MAX_UPDATES_PER_HOUR 10
    -> MAX_CONNECTIONS_PER_HOUR 5
    -> MAX_USER_CONNECTIONS 2;
    now wehen attacker attack on this site it show this message
    SQL/DB Error -- [User 'francis' has exceeded the 'max_questions' resource (current value: 100)]

    now how can i protect mysql from this attack?
    i think he attacks on mysql database
    for example how can i limit ip access to database per second

  15. #15
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    Your PHP application connects to the MySQL server - not the visitor. Therefore it doesn't make sense to limit MySQL connections in any way. Follow my instructions above and send the last 10-20 lines of your log access log files, not the whole one.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  16. #16
    190.207.1.38 - - [08/Dec/2013:15:45:26 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.82.248.169 - - [08/Dec/2013:15:45:57 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.85.59 - - [08/Dec/2013:15:46:58 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.74.247.174 - - [08/Dec/2013:15:47:31 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.93.199.131 - - [08/Dec/2013:15:48:18 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    201.211.239.72 - - [08/Dec/2013:15:50:34 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.185.108 - - [08/Dec/2013:15:51:14 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    66.249.66.5 - - [08/Dec/2013:15:51:46 +0330] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    66.249.66.5 - - [08/Dec/2013:15:51:46 +0330] "GET /cgi-sys/suspendedpage.cgi HTTP/1.1" 200 61 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h$
    66.249.66.5 - - [08/Dec/2013:15:51:47 +0330] "GET /index.php?mixmach=82 HTTP/1.1" 302 236 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    66.249.66.5 - - [08/Dec/2013:15:51:47 +0330] "GET /cgi-sys/suspendedpage.cgi?mixmach=82 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl$
    190.198.185.108 - - [08/Dec/2013:15:51:48 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.85.59 - - [08/Dec/2013:15:53:43 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

  17. #17
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    Is the attack still going on at the moment? This doesn't look like a HTTP flood just yet. Of course it's also possible that they target the IP (access log for that would be /usr/local/apache/logs/access.log I think with cPanel machines) instead of the domain. So, is the attack still going on? If yes, run: tcpdump -nnA dst port 80 -c1000
    And post the output. If the attack is already over, then we'd need the correct part of your access log to write a regexp for fail2ban or LFD. If you're using NGINX infront of Apache, you can also use it to limit the requests per IP, see http://nginx.org/en/docs/http/ngx_ht...eq_module.html
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  18. #18
    Join Date
    May 2007
    Posts
    2,042
    Quote Originally Posted by Genius Guard View Post
    if you have any solution, it is better to put here. what solution do you have with 4 posts ?
    Do you really think knowledge is based upon post count? :what:

  19. #19
    Join Date
    Sep 2008
    Location
    NL,IR
    Posts
    1,491
    afshin jan khobi ?
    its so hard to help you, we have to know:
    which cms have you hosted on this server
    have configure firewall right ?
    which web service do you use apache nginx
    your hardware configuration ?

    TQ

  20. #20
    Quote Originally Posted by mixmox View Post
    afshin jan khobi ?
    its so hard to help you, we have to know:
    which cms have you hosted on this server
    have configure firewall right ?
    which web service do you use apache nginx
    your hardware configuration ?

    TQ
    Mamnoon shoma khoobi? Mishnasim hamo?

    Thanks for your help,
    My hardware is 1 cpu xeon 1220v2 and 8gb ram sad hard drive and i use nginx + varnish+ apache
    Cpanel
    Its an unusual script

  21. #21
    Quote Originally Posted by infinitnet View Post
    Is the attack still going on at the moment? This doesn't look like a HTTP flood just yet. Of course it's also possible that they target the IP (access log for that would be /usr/local/apache/logs/access.log I think with cPanel machines) instead of the domain. So, is the attack still going on? If yes, run: tcpdump -nnA dst port 80 -c1000
    And post the output. If the attack is already over, then we'd need the correct part of your access log to write a regexp for fail2ban or LFD. If you're using NGINX infront of Apache, you can also use it to limit the requests per IP, see http://nginx.org/en/docs/http/ngx_ht...eq_module.html

    yes my dear attack is stopped by attacker. but i am sure with file2ban we can protect this attack
    when he start attack again i give you access log from both of the this domain and all of the apache access log

    and i am sure these ips is for attacker:

    Code:
     	190.207.1.38 - - [08/Dec/2013:15:45:26 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.82.248.169 - - [08/Dec/2013:15:45:57 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.85.59 - - [08/Dec/2013:15:46:58 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.74.247.174 - - [08/Dec/2013:15:47:31 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.93.199.131 - - [08/Dec/2013:15:48:18 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    201.211.239.72 - - [08/Dec/2013:15:50:34 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.185.108 - - [08/Dec/2013:15:51:14 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.185.108 - - [08/Dec/2013:15:51:48 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    190.198.85.59 - - [08/Dec/2013:15:53:43 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    also another thing i prepare a list that contain the most of ddoser ip i try to drop these ips from iptables and csf but after deny these ip i see these ips in access log again
    in your idea why?

Similar Threads

  1. Website attack, whats up with that?
    By roodney in forum Hosting Security and Technology
    Replies: 15
    Last Post: 10-06-2013, 11:41 AM
  2. whats an ARP attack?
    By Mad_J in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-14-2010, 05:52 PM
  3. Your Openion
    By Extra PC in forum Dedicated Server
    Replies: 6
    Last Post: 09-01-2010, 03:24 AM
  4. MetaCharge.com, Any openion?
    By aiesh in forum Ecommerce Hosting & Discussion
    Replies: 8
    Last Post: 12-02-2004, 06:34 PM
  5. Need ur openion about that company
    By wenaknet in forum Dedicated Server
    Replies: 5
    Last Post: 04-07-2004, 12:06 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •