Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Attempt of hack

[ninteen83]

Hi all

I'm not able to access my website. I've recieved an email from the webhosting team with the following message

----------------------------

Our server was heavily DoSed through your hosting account. Please see below:

tcp 0 0 66.116.228.238:80 217.197.156.197:29857 SYN_RECV -
tcp 0 0 66.116.228.238:80 201.135.134.33:2517 SYN_RECV -
tcp 0 0 66.116.228.238:80 218.94.61.136:3230 SYN_RECV -
tcp 0 0 66.116.228.238:80 61.220.150.2:2877 SYN_RECV -
tcp 0 0 66.116.228.238:80 203.169.250.29:3108 SYN_RECV -
tcp 0 0 66.116.228.238:80 194.63.225.1:54486 SYN_RECV -
tcp 0 0 66.116.228.238:80 219.93.174.108:39672 SYN_RECV -

and so on...

At the moment your IP address was filtered on the firewall to prevent the server from crashing. Please, check your scripts, applications, anything which might cause this. You need to close all the security holes.
----------------------------

I'm sure this is an attempt of hack.

What should i do now ?? Website is running on a Linux server

any help will be appreciated

Thanks

[eth00]

umm...you are getting DOS'ed which is not hacking. There is nothing you can do about your webpage, it is probably some script kiddie you pissed off. The server admin should be able to do some stuff to help with the DOS but you have to wait it out. Enabling syncookies will help if he has not.

[dkitchen]

Probably nothing wrong with your scripts, someone is just syn flooding the IP you are hosted upon.

Dan

[ninteen83]

thanks eth00 and Dan

this is what I recieved from webhosting team

-----------------
Unfortunately, it was not a security hole. What has happened is your site was a victim of a DOS attack. We had to block access to your site to make sure it did not overload our servers. You will need to find out who would want your site down because they hit your site over and over again from the same location in a very short time.
-----------------

Experts ! what I have to do to get my site back working? Any way to stop these DOS attack OR make my website secure from these attacks ?

I'll be much thankful

[eth00]

Nope there is nothing you can do. Any script kiddie with a botnet can randomly start attacking you. There is some stuff at a server and ISP level that can be done but they usually do little and only mitigate not prevent.

[albatross.smart]

Did you check up the files on your server this includes all the temperoary files that your clients uploaded. Check if there is any hidden trigger for the bots.

You can watch the logs to identify and target any particular client.

So be assured.

[ninteen83]

Quote:

Originally posted by eth00
Nope there is nothing you can do. Any script kiddie with a botnet can randomly start attacking you. There is some stuff at a server and ISP level that can be done but they usually do little and only mitigate not prevent.

They said that they will remove filter once dos wave will go down

thanks eth00

[ninteen83]

Quote:

Originally posted by albatross.smart
Did you check up the files on your server this includes all the temperoary files that your clients uploaded. Check if there is any hidden trigger for the bots.

You can watch the logs to identify and target any particular client.

So be assured.

hi albatross .. thanks for the reply

I'm running a phpBB2 based forum on the site. let me see if there is any such kind of files

[debrown3rd]

Quote:

Originally posted by ninteen83
thanks eth00 and Dan

this is what I recieved from webhosting team

-----------------
Unfortunately, it was not a security hole. What has happened is your site was a victim of a DOS attack. We had to block access to your site to make sure it did not overload our servers. You will need to find out who would want your site down because they hit your site over and over again from the same location in a very short time.
-----------------

Experts ! what I have to do to get my site back working? Any way to stop these DOS attack OR make my website secure from these attacks ?

I'll be much thankful

If it is truly coming from the same location then they should be able to drop just that IP at the router and not effect your machine otherwise. Equally, I would be asking them to respond to the DOS attack since it is their network. Whoever you are hosted through isn't stepping up to the plate.