Results 1 to 21 of 21
-
12-07-2013, 09:12 AM #1Newbie
- Join Date
- Dec 2010
- Posts
- 10
whats your openion about this attack?
hi dear professionals
i have a problem in my server
one site in my server was under ddos attack. somthing like flood. and after that i block his ips and defend server from down
but now i think he attack on mysql. but i cant know how can i defend about this. i limit mysql general connection to 100 but i dont know why connection of mysql sho big ammount:
# mysql> show status like '%onn%';
+--------------------------+--------+
| Variable_name | Value |
+--------------------------+--------+
| Aborted_connects | 20 |
| Connections | 327310 |
| Max_used_connections | 43 |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_finished_connects | 0 |
| Threads_connected | 11 |
+--------------------------+--------+
and also my top show:
top - 16:38:41 up 15:27, 1 user, load average: 98.00, 41.62, 29.77
Tasks: 433 total, 143 running, 286 sleeping, 4 stopped, 0 zombie
Cpu(s): 85.5%us, 5.3%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 9.2%si, 0.0%st
Mem: 8013668k total, 7864068k used, 149600k free, 1478264k buffers
Swap: 0k total, 0k used, 0k free, 2931736k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
591948 mysql 20 0 3223m 417m 5640 S 16.9 5.3 7:41.84 mysqld
573716 nobody 20 0 80300 51m 964 S 4.5 0.7 2:47.57 nginx
1827 varnish 20 0 7527m 404m 88m S 3.4 5.2 27:54.11 varnishd
606246 nobody 20 0 99628 15m 2984 R 3.4 0.2 0:03.38 httpd
607638 nobody 20 0 99388 14m 2212 R 3.4 0.2 0:03.71 httpd
607646 nobody 20 0 99388 14m 2212 R 3.4 0.2 0:04.37 httpd
607665 nobody 20 0 99388 14m 2188 R 3.4 0.2 0:03.68 httpd
607666 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.64 httpd
607670 nobody 20 0 99388 14m 2196 R 3.4 0.2 0:01.78 httpd
607681 nobody 20 0 99388 13m 2144 R 3.4 0.2 0:03.61 httpd
607682 nobody 20 0 99388 14m 2200 R 3.4 0.2 0:02.09 httpd
607683 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.52 httpd
607684 nobody 20 0 99388 14m 2232 R 3.4 0.2 0:03.40 httpd
607685 nobody 20 0 99388 14m 2196 R 3.4 0.2 0:01.59 httpd
607688 nobody 20 0 99388 13m 2140 R 3.4 0.2 0:03.65 httpd
607691 nobody 20 0 99420 14m 2232 R 3.4 0.2 0:01.45 httpd
607693 nobody 20 0 99388 14m 2260 R 3.4 0.2 0:01.33 httpd
/usr/local/apache/bin/httpd -k start -DSSL
this process increase load of server + mysql
in your idea what is this attack and how can i stop this attack?
-
12-07-2013, 09:16 AM #2Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
mysql load is due to load in httpd, he targeted your http port.
-
12-07-2013, 09:18 AM #3Disabled
- Join Date
- Oct 2013
- Posts
- 33
You can block the DoS using Haproxy infront of your webserver.
So haproxy can block all of the bad traffic from hitting http.Last edited by davywavy; 12-07-2013 at 09:26 AM.
-
12-07-2013, 09:26 AM #4Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
-
12-07-2013, 09:26 AM #5Newbie
- Join Date
- Dec 2010
- Posts
- 10
-
12-07-2013, 09:27 AM #6Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
do you have CSF ?
-
12-07-2013, 09:29 AM #7Newbie
- Join Date
- Dec 2010
- Posts
- 10
-
12-07-2013, 09:31 AM #8Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
let me know the result of following commands:
netstat -n -p|grep SYN_REC | wc -l
and
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
-
12-07-2013, 09:53 AM #9Disabled
- Join Date
- Oct 2013
- Posts
- 33
-
12-07-2013, 10:10 AM #10Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
Please post the last 10-20 lines of your access logs. This looks like a HTTP flood. Most likely you'll be able to block it with fail2ban using a custom regexp which matches the malicious requests that you find in your access logs. It's possible to do the same with LFD for instance. Depending on the attack type, you might also be able to block it with iptables string matching (howto here). Furthermore you should make sure to use syncookies and short timeouts and ACK retries in your sysctl.conf, such as:
Code:net.netfilter.nf_conntrack_max = 10000000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_fin_timeout = 5
➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
12-07-2013, 11:22 AM #11Newbie
- Join Date
- Dec 2010
- Posts
- 10
]# netstat -n -p|grep SYN_REC | wc -l
48
and
7 173.245.62.212
7 173.245.62.66
7 176.12.64.224
7 2.176.203.11
8 108.162.208.18
8 108.162.208.42
8 108.162.212.150
8 108.162.212.156
8 108.162.212.166
8 108.162.212.177
8 108.162.215.242
8 108.162.221.212
8 108.162.222.214
8 108.162.222.58
8 108.162.231.218
8 108.162.231.226
8 108.162.231.47
8 108.162.231.59
8 108.162.254.12
8 173.245.48.104
8 173.245.48.93
8 173.245.49.215
8 173.245.51.214
8 173.245.53.105
8 173.245.53.128
8 173.245.56.153
8 2.145.171.138
8 5.152.205.58
9 108.162.208.38
9 108.162.210.210
9 108.162.210.233
9 108.162.212.167
9 108.162.212.182
9 108.162.215.231
9 108.162.222.35
9 108.162.222.46
9 108.162.222.59
9 108.162.226.16
9 141.101.98.130
9 141.101.98.164
9 141.101.99.161
9 173.245.48.128
9 173.245.51.231
9 173.245.51.60
9 173.245.51.67
9 173.245.53.129
9 173.245.54.164
9 173.245.54.179
9 173.245.56.154
9 173.245.56.196
9 173.245.56.199
9 199.27.128.130
9 78.39.25.153
10 108.162.208.26
10 108.162.208.37
10 108.162.210.199
10 108.162.210.236
10 108.162.210.240
10 108.162.212.148
10 108.162.212.163
10 108.162.212.26
10 108.162.212.74
10 108.162.215.193
10 108.162.215.246
10 108.162.226.220
10 141.101.99.138
10 173.245.48.120
10 173.245.48.72
10 173.245.51.218
10 173.245.56.170
10 95.81.81.114
11 108.162.208.16
11 108.162.210.226
11 108.162.212.170
11 108.162.215.241
11 108.162.231.213
11 141.101.98.157
11 173.245.48.110
11 173.245.48.126
11 173.245.48.87
11 173.245.52.125
11 173.245.52.155
11 173.245.53.102
11 199.27.128.88
11 79.127.117.77
12 108.162.208.24
12 108.162.212.98
12 108.162.219.174
12 108.162.222.38
12 141.101.99.111
12 141.101.99.135
12 141.101.99.165
12 173.245.48.122
12 173.245.48.99
12 173.245.53.68
12 173.245.53.84
13 108.162.210.203
13 108.162.212.155
13 108.162.215.249
13 108.162.231.58
13 173.245.48.134
13 173.245.49.238
13 173.245.51.220
13 173.245.53.89
13 173.245.54.155
13 173.245.54.188
13 188.34.187.111
13 2.191.2.225
14 108.162.208.17
14 108.162.208.40
14 108.162.212.154
14 108.162.212.168
14 108.162.212.243
14 108.162.216.35
14 108.162.221.230
14 108.162.222.47
14 108.162.254.37
14 141.101.98.138
14 173.245.48.124
14 173.245.48.133
14 173.245.53.124
15 108.162.208.31
15 108.162.210.205
15 108.162.210.223
15 108.162.212.175
15 108.162.212.187
15 108.162.215.228
15 108.162.215.244
15 108.162.215.247
15 108.162.222.65
15 141.101.99.125
15 173.245.48.79
15 173.245.48.84
15 173.245.62.226
16 108.162.208.6
16 108.162.210.208
16 108.162.222.34
16 108.162.231.46
16 173.245.48.65
16 173.245.48.75
16 173.245.53.99
16 173.245.62.218
17 108.162.208.22
17 108.162.212.151
17 108.162.231.35
17 141.101.99.136
18 108.162.208.20
18 108.162.210.200
18 108.162.212.231
18 108.162.215.250
18 108.162.231.225
18 141.101.98.152
19 108.162.208.14
19 108.162.208.21
19 108.162.208.5
19 108.162.210.232
19 108.162.210.234
19 108.162.212.149
19 108.162.212.152
19 108.162.212.194
19 141.101.98.166
19 173.245.48.114
19 173.245.48.130
19 173.245.48.70
19 173.245.48.82
19 173.245.54.208
20 108.162.212.174
20 108.162.212.193
20 108.162.231.220
20 141.101.99.152
21 108.162.208.13
21 108.162.208.23
21 108.162.208.9
21 108.162.212.186
21 108.162.212.207
21 108.162.221.46
21 141.101.99.168
21 173.245.48.103
21 173.245.48.88
22 108.162.208.36
22 108.162.222.48
22 141.101.99.150
22 173.245.48.80
23 108.162.210.227
23 108.162.222.36
23 108.162.222.61
23 173.245.48.125
24 108.162.210.197
24 108.162.210.224
24 173.245.48.101
25 108.162.212.181
25 108.162.215.230
25 108.162.215.232
25 173.245.48.100
26 108.162.208.4
26 108.162.208.7
27 141.101.99.169
27 173.245.48.92
27 173.245.62.61
28 108.162.208.35
28 108.162.210.212
28 108.162.212.178
29 108.162.210.242
29 108.162.222.213
29 173.245.48.106
29 173.245.48.73
30 108.162.222.51
30 108.162.231.65
30 141.101.98.129
30 173.245.48.102
30 173.245.48.113
30 173.245.48.83
30 173.245.62.219
30 199.27.130.216
31 108.162.208.11
31 108.162.210.230
31 108.162.215.229
31 173.245.48.74
31 173.245.51.66
32 108.162.212.185
32 173.245.48.107
32 173.245.48.121
32 173.245.48.71
34 173.245.48.129
35 108.162.212.162
35 173.245.48.81
36 108.162.208.15
36 151.233.222.8
38 108.162.208.32
38 108.162.215.248
38 141.101.98.170
39 108.162.212.189
39 173.245.48.119
41 108.162.208.12
42 108.162.212.153
47 108.162.208.25
48 173.245.48.96
52 108.162.208.43
56 108.162.210.221
64 108.162.208.41
67 173.245.48.61
80 108.162.222.67
could you please help me how can i install this on my server?
i installed file2ban. how can i configure it?
and i set syncookies and short timeouts and ACK retries in my sysctl.conf as you said.
my panel is cpanel. can you say which access file do you need?
-
12-07-2013, 11:30 AM #12Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
The access logs of the domain which is under attack: http://docs.cpanel.net/twiki/bin/vie.../RawAccessLogs
I need the access logs before I can write a fail2ban regex to match/block the flood.➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
12-08-2013, 02:10 AM #13Newbie
- Join Date
- Dec 2010
- Posts
- 10
because the size of access log i attach that in email and send it for you.
thanks for your corporation dear
-
12-08-2013, 04:38 AM #14Newbie
- Join Date
- Dec 2010
- Posts
- 10
i also limit mysql connection of this site database with this method
mysql> CREATE USER 'francis'@'localhost' IDENTIFIED BY 'frank';
mysql> GRANT ALL ON customer.* TO 'francis'@'localhost'
-> WITH MAX_QUERIES_PER_HOUR 20
-> MAX_UPDATES_PER_HOUR 10
-> MAX_CONNECTIONS_PER_HOUR 5
-> MAX_USER_CONNECTIONS 2;
now wehen attacker attack on this site it show this message
SQL/DB Error -- [User 'francis' has exceeded the 'max_questions' resource (current value: 100)]
now how can i protect mysql from this attack?
i think he attacks on mysql database
for example how can i limit ip access to database per second
-
12-08-2013, 08:09 AM #15Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
Your PHP application connects to the MySQL server - not the visitor. Therefore it doesn't make sense to limit MySQL connections in any way. Follow my instructions above and send the last 10-20 lines of your log access log files, not the whole one.
➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
12-08-2013, 08:27 AM #16Newbie
- Join Date
- Dec 2010
- Posts
- 10
190.207.1.38 - - [08/Dec/2013:15:45:26 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.82.248.169 - - [08/Dec/2013:15:45:57 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
190.198.85.59 - - [08/Dec/2013:15:46:58 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
190.74.247.174 - - [08/Dec/2013:15:47:31 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.93.199.131 - - [08/Dec/2013:15:48:18 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
201.211.239.72 - - [08/Dec/2013:15:50:34 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
190.198.185.108 - - [08/Dec/2013:15:51:14 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.249.66.5 - - [08/Dec/2013:15:51:46 +0330] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.5 - - [08/Dec/2013:15:51:46 +0330] "GET /cgi-sys/suspendedpage.cgi HTTP/1.1" 200 61 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h$
66.249.66.5 - - [08/Dec/2013:15:51:47 +0330] "GET /index.php?mixmach=82 HTTP/1.1" 302 236 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.5 - - [08/Dec/2013:15:51:47 +0330] "GET /cgi-sys/suspendedpage.cgi?mixmach=82 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.googl$
190.198.185.108 - - [08/Dec/2013:15:51:48 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
190.198.85.59 - - [08/Dec/2013:15:53:43 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
-
12-08-2013, 08:32 AM #17Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
Is the attack still going on at the moment? This doesn't look like a HTTP flood just yet. Of course it's also possible that they target the IP (access log for that would be /usr/local/apache/logs/access.log I think with cPanel machines) instead of the domain. So, is the attack still going on? If yes, run: tcpdump -nnA dst port 80 -c1000
And post the output. If the attack is already over, then we'd need the correct part of your access log to write a regexp for fail2ban or LFD. If you're using NGINX infront of Apache, you can also use it to limit the requests per IP, see http://nginx.org/en/docs/http/ngx_ht...eq_module.html➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
12-08-2013, 09:10 AM #18Web Hosting Master
- Join Date
- May 2007
- Posts
- 2,042
-
12-08-2013, 10:18 AM #19I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
afshin jan khobi ?
its so hard to help you, we have to know:
which cms have you hosted on this server
have configure firewall right ?
which web service do you use apache nginx
your hardware configuration ?
TQ
-
12-08-2013, 10:38 AM #20Newbie
- Join Date
- Dec 2010
- Posts
- 10
-
12-08-2013, 10:55 AM #21Newbie
- Join Date
- Dec 2010
- Posts
- 10
yes my dear attack is stopped by attacker. but i am sure with file2ban we can protect this attack
when he start attack again i give you access log from both of the this domain and all of the apache access log
and i am sure these ips is for attacker:
Code:190.207.1.38 - - [08/Dec/2013:15:45:26 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 200.82.248.169 - - [08/Dec/2013:15:45:57 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 190.198.85.59 - - [08/Dec/2013:15:46:58 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 190.74.247.174 - - [08/Dec/2013:15:47:31 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 200.93.199.131 - - [08/Dec/2013:15:48:18 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 201.211.239.72 - - [08/Dec/2013:15:50:34 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 190.198.185.108 - - [08/Dec/2013:15:51:14 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 190.198.185.108 - - [08/Dec/2013:15:51:48 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 190.198.85.59 - - [08/Dec/2013:15:53:43 +0330] "GET /index.php HTTP/1.1" 302 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
in your idea why?
Similar Threads
-
Website attack, whats up with that?
By roodney in forum Hosting Security and TechnologyReplies: 15Last Post: 10-06-2013, 11:41 AM -
whats an ARP attack?
By Mad_J in forum Hosting Security and TechnologyReplies: 3Last Post: 09-14-2010, 05:52 PM -
Your Openion
By Extra PC in forum Dedicated ServerReplies: 6Last Post: 09-01-2010, 03:24 AM -
MetaCharge.com, Any openion?
By aiesh in forum Ecommerce Hosting & DiscussionReplies: 8Last Post: 12-02-2004, 06:34 PM -
Need ur openion about that company
By wenaknet in forum Dedicated ServerReplies: 5Last Post: 04-07-2004, 12:06 AM