Results 1 to 13 of 13
  1. #1

    [Dedicated Server] Bogus Overload

    This is the first time I am posting here. I have a dedicated server and it gets really overloaded, but I see no traffic in Google Analytics.

    The server's configuration is :
    Intel Core i5 750 (2.66GHZ 8MB - Dual Channel)
    4 GB DDR3
    500GB 7.2k RPM SATAII 16MB Cache

    I have a few websites on it pulling about 150k uniques / month . On normal usage CPU usage is at about 15%, server load 0.5 / 4 and Disk I/O is at 5%, but from time to time (once at 1-2 weeks) it crashes due to overload, but not done by actual traffic. I guess the server is being attacked permanently until it crashes. When I look at the Apache loads I see that the server gets a lot of requests, and I mean a lot (aprox 20 requests / second when it crashes, besides the normal requests ), requests for some image files that do not exist. The requests are like this "GET /blog/images/share/stumble.png?v23=39&tq=gJ4WK%2FSUh7TFkUR8".

    What I have done is that I denied all access to that folder via a .htaccess file, and now the requests seem to have moved to other PHP files.

    I am writing here because I run out of ideas and I don't know what more I can do. My web host (WiredTree) says that there's nothing they can do. This is unbelievable to me. I mean ... what can I do. Please advise.

  2. #2
    Join Date
    Mar 2003
    Moved > Hosting Security and Technology.
    Specially 4 You
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  3. #3
    Join Date
    Feb 2004

    The attack could be something else. Like SSH or FTP attack, which will consume resources.

    If you can then move SSH to a non standard port ie not port 22, then make sure you look at the processes on the server.

    Best bet is it get the server looked at by some server hardening people (make sure you check them out before handing your root login's out though)

    Good luck


  4. #4
    My web hosting support says that this looks like DDoS attacks. What can I do in this case ?

  5. #5
    Join Date
    Feb 2004

    If you dont know how to resolve it you'll need to hire a company to resolve this for you. normally your host would help you..

    alternatively google is your friend if your host wont help and you dont want to hire someone.


  6. #6
    Join Date
    Jan 2005
    Toronto, Canada
    You should run an audit check - I assume that you know linux and cpanel a bit. but if you were to hire a company they would do an audit test first
    start by running * Run chkrootkit - then make sure you change SSH ports, update the kernel with latest security patches,follow through all the steps for server hardening.

    Now also, these customers make sure they do not have any coding issues - IE open loop in a mySQL database that every now and then eats up all the resources and brings the server to its halt, then gives up and the server comes back - We have seen this many times, and the end result is a programmer fixes the bug in the app - so lots of things to check and determine if it really is a DDoS attack, or something else
    Rebel Networks
    Geek Powered Hosting - The Cloud Made Simple
    SuperHero 24 |7 | 365 Support
    Please Visit us @

  7. #7
    Well I am getting a huge amount of requests in Apache like this "GET /blog/images/share/stumble.png?v23=39&tq=gJ4WK%2FSUh7TFkUR8" all from different IPs, so I would doubt it's a mySQL or a programming error . I don't have a great knowledge of Linux or Apache ... I don't have any IT training .. I am a doctor, so that's why I addressed you guys because I am really out of my league here.

  8. #8
    is your site name end with design ? if so there is a virus about your site

    name of the virus is TR/Dldr.Nirava.psd

    its not ddos, the virus penetrates into people`s computers then it calls some urls including your site, so as long as this trojan spreads into many computers your site gets many requests that can be look similar to a dos attack.

    Download your blog files to your pc, be careful while you do this, have your antivirus active and make sure your antivirus knows how to deal with TR/Dldr.Nirava.psd, avira knows in this case.

    also it accesses urls like blog/images/share/facebook.png? on your site not only stumble.
    Last edited by st1905; 04-10-2011 at 02:26 PM.

  9. #9
    Sh** ... so basically every infected computer requests some files from my website. I suppose I can't do anything about it right ?

  10. #10
    Correct, Atm, you can try running a virus scan on your site files but if your site is not infected then a solution would be removing the plugin that places the image files like and facebook.png.

    Try running a virus scan first and then remove these files/disable the plugin that has these files. Instead of deleting the files, place text files named facebook.png and stumble.png because if the requests continue after you remove the files, many 404 requests at once will create server load too.

    This is a newly made trojan, discovered on the 1st of march 2011.
    Last edited by st1905; 04-10-2011 at 02:50 PM.

  11. #11
    First of all thank you very much for your assistance. Oddly enough I feel relieved. At least now I know what's going on.

    The thing is that the files don't actually exist any more. I have deleted them about a month ago. I have placed in that directory a .htaccess file with deny from all. Isn't that better than creating these text files ?

  12. #12
    You are welcome. That is fine, but if you receive many denied (403 requests) at once that may create a server load too, but text files probably wont create any load at all, so i`d try that at least for a week and see if it makes any difference. Under worse case scenario you can install nginx in front of apache and that will make the load much lower when the requests came to your server but first try the first one also if you dont have a firewall on your server install one and set dos/flood protection on.

    You can use csf for this,

    If the current requests are on your php files then bypass my text file suggestion, go with the firewall dos/flood protection.
    Last edited by st1905; 04-10-2011 at 03:03 PM.

  13. #13
    Join Date
    Sep 2010
    I would also suggest installing clamAV and Maldet on your server. This will help from getting files on your server like this in the future. I addition to making sure that you have proper file/directory permissions.

Similar Threads

  1. Server Overload Help!
    By wingtip in forum Hosting Security and Technology
    Replies: 24
    Last Post: 05-15-2009, 08:28 AM
  2. Dedicated server overload...low pageviews. Need help
    By racerman28 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 06-09-2008, 08:32 PM
  3. is my server overload?
    By 007007 in forum Dedicated Server
    Replies: 2
    Last Post: 05-19-2006, 01:19 PM
  4. Overload at my Server
    By dbarretoivo in forum Dedicated Server
    Replies: 6
    Last Post: 12-08-2004, 02:26 PM
  5. Replies: 3
    Last Post: 09-25-2004, 09:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts