I have a few websites on it pulling about 150k uniques / month . On normal usage CPU usage is at about 15%, server load 0.5 / 4 and Disk I/O is at 5%, but from time to time (once at 1-2 weeks) it crashes due to overload, but not done by actual traffic. I guess the server is being attacked permanently until it crashes. When I look at the Apache loads I see that the server gets a lot of requests, and I mean a lot (aprox 20 requests / second when it crashes, besides the normal requests ), requests for some image files that do not exist. The requests are like this "GET /blog/images/share/stumble.png?v23=39&tq=gJ4WK%2FSUh7TFkUR8".
What I have done is that I denied all access to that folder via a .htaccess file, and now the requests seem to have moved to other PHP files.
I am writing here because I run out of ideas and I don't know what more I can do. My web host (WiredTree) says that there's nothing they can do. This is unbelievable to me. I mean ... what can I do. Please advise.
You should run an audit check - I assume that you know linux and cpanel a bit. but if you were to hire a company they would do an audit test first
start by running * Run chkrootkit - then make sure you change SSH ports, update the kernel with latest security patches,follow through all the steps for server hardening.
Now also, these customers make sure they do not have any coding issues - IE open loop in a mySQL database that every now and then eats up all the resources and brings the server to its halt, then gives up and the server comes back - We have seen this many times, and the end result is a programmer fixes the bug in the app - so lots of things to check and determine if it really is a DDoS attack, or something else
Geek Powered Hosting - The Cloud Made Simple
SuperHero 24 |7 | 365 Support
Please Visit us @ www.rebelnetworks.com
Well I am getting a huge amount of requests in Apache like this "GET /blog/images/share/stumble.png?v23=39&tq=gJ4WK%2FSUh7TFkUR8" all from different IPs, so I would doubt it's a mySQL or a programming error . I don't have a great knowledge of Linux or Apache ... I don't have any IT training .. I am a doctor, so that's why I addressed you guys because I am really out of my league here.
its not ddos, the virus penetrates into people`s computers then it calls some urls including your site, so as long as this trojan spreads into many computers your site gets many requests that can be look similar to a dos attack.
Download your blog files to your pc, be careful while you do this, have your antivirus active and make sure your antivirus knows how to deal with TR/Dldr.Nirava.psd, avira knows in this case.
also it accesses urls like blog/images/share/facebook.png? on your site not only stumble.
Correct, Atm, you can try running a virus scan on your site files but if your site is not infected then a solution would be removing the plugin that places the image files like stumble.ong and facebook.png.
Try running a virus scan first and then remove these files/disable the plugin that has these files. Instead of deleting the files, place text files named facebook.png and stumble.png because if the requests continue after you remove the files, many 404 requests at once will create server load too.
This is a newly made trojan, discovered on the 1st of march 2011.
First of all thank you very much for your assistance. Oddly enough I feel relieved. At least now I know what's going on.
The thing is that the files don't actually exist any more. I have deleted them about a month ago. I have placed in that directory a .htaccess file with deny from all. Isn't that better than creating these text files ?
You are welcome. That is fine, but if you receive many denied (403 requests) at once that may create a server load too, but text files probably wont create any load at all, so i`d try that at least for a week and see if it makes any difference. Under worse case scenario you can install nginx in front of apache and that will make the load much lower when the requests came to your server but first try the first one also if you dont have a firewall on your server install one and set dos/flood protection on.
I would also suggest installing clamAV and Maldet on your server. This will help from getting files on your server like this in the future. I addition to making sure that you have proper file/directory permissions.