hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : VPS Hosting : Server being hit by a botnet.
Reply

Forum Jump

Server being hit by a botnet.

Reply Post New Thread In VPS Hosting Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 09-02-2013, 08:18 AM
ChrisZA ChrisZA is offline
Newbie
 
Join Date: Jan 2010
Posts: 9

Server being hit by a botnet.


My server is being hit by a botnet and it has been going for a few hours now. I have stopped the attack by activating cloudflares "im under attack" mode for now.

The attack started yesterday and stopped late last night but then started up again today.

I am afraid using the site in the under attack mode will also be blocking google bots from my site, so I would like to turn that off sometime.

Anyone got any solutions for me?

Forgot to mention they are hitting my /wp-login.php file.

Thanks


Last edited by ChrisZA; 09-02-2013 at 08:22 AM.


Sponsored Links
  #2  
Old 09-02-2013, 08:31 AM
ES - George ES - George is offline
Corporate Member
 
Join Date: Jun 2011
Posts: 1,213
The wp-login.php attack is very pesky. There's guidance here on mitigating/blocking it:

http://codex.wordpress.org/Brute_Force_Attacks

__________________
Regards,
George.

  #3  
Old 09-02-2013, 08:45 AM
ChrisZA ChrisZA is offline
Newbie
 
Join Date: Jan 2010
Posts: 9
Thanks I will have a look and see if it helps.

Sponsored Links
  #4  
Old 09-02-2013, 08:47 AM
ES - George ES - George is offline
Corporate Member
 
Join Date: Jun 2011
Posts: 1,213

__________________
Regards,
George.

  #5  
Old 09-02-2013, 09:15 AM
ChrisZA ChrisZA is offline
Newbie
 
Join Date: Jan 2010
Posts: 9
Correct me if I am wrong, do I post the script from that page in my .htaccess file?

When I add it to my .htaccess file my site returns a 500 error.

Sorry if im being stupid, I am pretty tired.

  #6  
Old 09-02-2013, 02:14 PM
Slim Shaddy Slim Shaddy is offline
WHT Addict
 
Join Date: Jan 2013
Posts: 141
Re: Server being hit by a botnet.

I have the same issue. You can use wordfense plugin to protect your blog against brutal attract. I do the same. Also you can block those IP using vps firewall. Now there's no issue.

  #7  
Old 09-02-2013, 11:12 PM
vanHelsing vanHelsing is offline
Junior Guru
 
Join Date: Apr 2004
Posts: 199
Re: Server being hit by a botnet.

Do you have firewall like csf? That might do some good with those many login attemps.

__________________
Code goes in and code comes out..

  #8  
Old 09-03-2013, 02:39 AM
Time4VPS Time4VPS is offline
Web Hosting Master
 
Join Date: Dec 2012
Location: Lithuania
Posts: 690
1. Go with Cloudflare (even FREE plan can help)
2. Install CSF firewall software
3. Install fail2ban (optional, may have some issues with CSF)
4. Install mod_security to avoid most XSS attacks

__________________
Build a custom VPS in Europe | VPS Resellers welcome
Enterprise-level quality at an affordable price.
Time4VPS: Flexible, worry-free VPS hosting.

  #9  
Old 09-03-2013, 02:45 AM
ChrisZA ChrisZA is offline
Newbie
 
Join Date: Jan 2010
Posts: 9
Quote:
Originally Posted by vanHelsing View Post
Do you have firewall like csf? That might do some good with those many login attemps.
I do use csf and it seems to be doing nothing, guess it just thinks its regular traffic.

The attack seems to have died down for now.

Cloudflare has been my best defense this far, I would recommend using them for times like these.

Thanks to everyone here for the helpful info.

  #10  
Old 09-03-2013, 02:53 AM
ChrisZA ChrisZA is offline
Newbie
 
Join Date: Jan 2010
Posts: 9
Quote:
Originally Posted by Time4VPS View Post
1. Go with Cloudflare (even FREE plan can help)
2. Install CSF firewall software
3. Install fail2ban (optional, may have some issues with CSF)
4. Install mod_security to avoid most XSS attacks
Cloudflare was a life saver, I use the free version and activated "I am under attack mode" once that was active it stopped everything. If anyone does do this, you may need to restart your httpd service after activating attack mode.

I have CSF but that did nothing with this attack.
I'll have a look at fail2ban and definitely install mod_sec.

Thanks for the tips.

  #11  
Old 09-03-2013, 02:55 AM
Time4VPS Time4VPS is offline
Web Hosting Master
 
Join Date: Dec 2012
Location: Lithuania
Posts: 690
Quote:
Originally Posted by VexBlade View Post
<...>

I have CSF but that did nothing with this attack.
Each attack is unique. You need to tune-up CSF to handle requests properly. Default configuration of CSF not always can help.

I'am glad that you solved your issue. Let WHT know if you have any more problems

__________________
Build a custom VPS in Europe | VPS Resellers welcome
Enterprise-level quality at an affordable price.
Time4VPS: Flexible, worry-free VPS hosting.

  #12  
Old 09-03-2013, 07:32 AM
ChronicMusic ChronicMusic is offline
Junior Guru Wannabe
 
Join Date: Aug 2013
Location: London
Posts: 45
Why do hackers have to ruin everything.

Sorry to sound stupid but what is Cloudflare, how does it work?

  #13  
Old 09-03-2013, 09:24 AM
incloudibly incloudibly is offline
Premium Member
 
Join Date: Sep 2012
Location: Switzerland
Posts: 141
Quote:
Originally Posted by ChronicMusic View Post
Why do hackers have to ruin everything.

Sorry to sound stupid but what is Cloudflare, how does it work?
In a nutshell Cloudflare is a CDN company that also focuses on protection from online threats. You'll find more information on their website.

__________________
INCLOUDIBLY.NET :: DDoS Protected Hosting

  #14  
Old 09-03-2013, 10:37 AM
infinitnet infinitnet is offline
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 910
Quote:
Originally Posted by VexBlade View Post
I do use csf and it seems to be doing nothing, guess it just thinks its regular traffic.

The attack seems to have died down for now.

Cloudflare has been my best defense this far, I would recommend using them for times like these.

Thanks to everyone here for the helpful info.
You can use fail2ban with a custom regex to ban IPs which hit wp-login.php for more than 5 times a minute for instance. Let me know if you want to go with that, as I could quickly write you a fitting regex if you could post your access log entries and the log path.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #15  
Old 09-04-2013, 04:16 AM
BrianHarrison BrianHarrison is offline
Web Hosting Master
 
Join Date: May 2013
Location: USA
Posts: 748
Quote:
Originally Posted by HVH - George View Post
This mod_rewrite patch has worked well for our customers who have become targeted by this attack.

__________________
▄▀▄ Brian Harrison, Lead Programmer - Reprise Hosting (AS62838)
▄▀▄ Deals on private VPN service plans. OpenVPN and PPTP! Unmetered bandwidth.
▄▀▄ Website migration, 24/7/365 support, basic server setup, 15 day money back.
▄▀▄ Looking for DEALS on self-managed cheap VPS hosting? Visit VPSHostingDEAL.com

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
My server is under SYN and/or botnet, how can I prevent this attack? SiSHCO Hosting Security and Technology 14 03-16-2010 02:57 AM
Botnet attack my server HomerJSimpson Hosting Security and Technology 4 11-03-2009 03:19 PM
Attack from a Botnet on my Root Server, with the same Referer. Internoc24 Hosting Security and Technology 6 09-23-2007 04:36 AM
Can you hit my server? Jhorra Other Reviews 6 03-12-2007 03:37 PM

Related posts from TheWhir.com
Title Type Date Posted
Canadian Web Hosting Joins OpenStack Foundation, Preps Public Cloud Launch Web Hosting News 2013-05-15 15:36:46
Polish Domain Registry NASK Seizes Domains Used in Pervasive Virut Botnet Web Hosting News 2013-01-21 16:56:31
Canadian Web Hosting Offers New Botnet and Malware Prevention Service Web Hosting News 2012-11-02 15:12:55
Email Security Firm eleven Finds Drive-By Malware on the Rise Web Hosting News 2012-10-18 13:21:25
Microsoft Reaches Settlement with Nitol Botnet Host 3322.org Web Hosting News 2012-10-05 13:13:16


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?