Results 1 to 7 of 7
  1. #1

    Caught a customer with a DOS Script

    I don't have any questions in this post, just wanted to rant a little about a customer I caught on one of my servers attempting a DOS attack on another website. I can't really say it was a real DOS attack, but maybe a way for this guy to try to slow this other guys site down and run his bandwith up.

    So here it goes. I notice the load of one my servers starts going really high for a while. So I login to the server and see a ton httpd processes running. A lot more than normal. So I trace one of the services and I see that it is comming from a script running on one of my resellers accounts. This person had just bought one of my larger reseller packages and had been hosting with me for less than a month.

    So I track down the script and it is just a simple php script with one loop in it. It basically loopped 1000 times with the command to get a picture that was on this other guys site. And I had litterly hundreds and hundreds of httpd processes running this script over and over.

    So I log into the one control panel for the first domain I found doing this. I look at his cron jobs, and he has about 50 cron jobs, each to run every minute...running that script. So I kill all of his cron jobs, but still see a lot of processes running. I track them down to 7 domains, each calling this same script.

    So I kill all the domains, and the server load is good again. However, I am still seeing a lot of processes comming from outside my server.

    They were comming from two of the IP address's back to another web hosting company. I am pretty sure this person had cron jobs over on this guys hosting company as well. I blocked his IP address's and everything appeared to stop.

    Since I traced the IP address's to this other hosting company, I did a whois on them and e-mailed both their abuse and admin contacts. The hosting company was called anyone ever heard of them? Well I never even recieved a response. What a joke. If someone was reported to me doing that on my server, I would at least look into it and give them a response.

    At anyrate, I was able to catch this guy doing this within about 15 minutes of it starting, so I am pretty happy about that.

    I should have caught this order as a fraudulent order, but we have been a little backed up with site designs and such latetly that I haven't had the resources to scrutinize all of our incomming orders.

    This one was really obvious though. First they bought our largest reseller package and paid a year up front. No questions asked. That usually doesn't happened. Then the billing was from a lady in Miami. The domain name was registered through "Euro-dns" and the contact e-mail was "[email protected]". Pretty fishy and should have been caught right away.

    Anyways, I thought it was a sneaky thing to do, and I wanted to post it here just in case anyone comes across the same thing.



  2. #2
    Join Date
    Aug 2002
    I got dibs on his feet!

  3. #3
    I think snort can automatically do the job for you.

  4. #4
    ThePlanet/Servermatrix are usually pretty fast at pulling offending boxes(some say a little to fast). Guess they missed this one.
    Are you a webhost?
    Want more customers?
    Add your plans at

  5. #5

  6. #6
    Originally posted by nowisph
    I think snort can automatically do the job for you.

    So do you use snort? I am wondering exactly what it does. Does it just monitor the traffic and notify you of suspicious activities, or does it just block that traffic right away?

    Does it use a lot of resources to run?


  7. #7
    Join Date
    Aug 2003
    Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
    Visit to download.

    It shouldn't be a resource hog at all

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts