Results 1 to 5 of 5

Thread: httpd attack

  1. #1

    httpd attack

    [code]
    [[email protected] ~]# /usr/sbin/lsof -p 3512
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    httpd 3512 apache cwd DIR 0,95 1024 29212687 /
    httpd 3512 apache rtd DIR 0,95 1024 29212687 /
    httpd 3512 apache txt REG 0,95 259456 32612407 /usr/sbin/httpd
    httpd 3512 apache mem REG 0,95 105213 32613187 /lib/ld-2.3.4.so
    httpd 3512 apache mem REG 0,95 21303 32614540 /lib/libsafe.so.2.0.16
    httpd 3512 apache mem REG 0,95 6460 39788632 /usr/lib/httpd/modules/mod_access.so
    httpd 3512 apache mem REG 0,95 7708 39788636 /usr/lib/httpd/modules/mod_auth.so
    httpd 3512 apache mem REG 0,95 5248 39788637 /usr/lib/httpd/modules/mod_auth_anon.so
    httpd 3512 apache mem REG 0,95 62264 32613262 /lib/libpcre.so.0.0.1
    httpd 3512 apache mem REG 0,95 7212 32729256 /usr/lib/libpcreposix.so.0.0.0
    httpd 3512 apache mem REG 0,95 81236 32728643 /usr/lib/libaprutil-0.so.0.9.4
    httpd 3512 apache mem REG 0,95 201188 32729480 /usr/lib/libldap-2.2.so.7.0.6
    httpd 3512 apache mem REG 0,95 47212 32729478 /usr/lib/liblber-2.2.so.7.0.6
    httpd 3512 apache mem REG 0,95 844068 32613171 /lib/tls/i686/libdb-4.2.so
    httpd 3512 apache mem REG 0,95 122048 32729201 /usr/lib/libexpat.so.0.5.0
    httpd 3512 apache mem REG 0,95 138260 32728641 /usr/lib/libapr-0.so.0.9.4
    httpd 3512 apache mem REG 0,95 45739 32613168 /lib/tls/librt-2.3.4.so
    httpd 3512 apache mem REG 0,95 176195 32613164 /lib/tls/libm-2.3.4.so
    httpd 3512 apache mem REG 0,95 25487 32613202 /lib/libcrypt-2.3.4.so
    httpd 3512 apache mem REG 0,95 91889 32613161 /lib/tls/libpthread-2.3.4.so
    httpd 3512 apache mem REG 0,95 13620 32613204 /lib/libdl-2.3.4.so
    httpd 3512 apache mem REG 0,95 1451366 32613162 /lib/tls/libc-2.3.4.so
    httpd 3512 apache mem REG 0,95 77740 32613236 /lib/libresolv-2.3.4.so
    httpd 3512 apache mem REG 0,95 80844 32729476 /usr/lib/libsasl2.so.2.0.19
    httpd 3512 apache mem REG 0,95 211948 32613371 /lib/libssl.so.0.9.7a
    httpd 3512 apache mem REG 0,95 956392 32613370 /lib/libcrypto.so.0.9.7a
    httpd 3512 apache mem REG 0,95 80948 32729408 /usr/lib/libgssapi_krb5.so.2.2
    httpd 3512 apache mem REG 0,95 413704 32729422 /usr/lib/libkrb5.so.3.2
    httpd 3512 apache mem REG 0,95 5668 32613190 /lib/libcom_err.so.2.1
    httpd 3512 apache mem REG 0,95 134640 32729412 /usr/lib/libk5crypto.so.3.0
    httpd 3512 apache mem REG 0,95 62248 32729184 /usr/lib/libz.so.1.2.1.2
    httpd 3512 apache mem REG 0,95 6976 39788638 /usr/lib/httpd/modules/mod_auth_dbm.so
    httpd 3512 apache mem REG 0,95 26748 39788639 /usr/lib/httpd/modules/mod_auth_digest.so
    httpd 3512 apache mem REG 0,95 35432 39788658 /usr/lib/httpd/modules/mod_ldap.so
    httpd 3512 apache mem REG 0,95 20844 39788640 /usr/lib/httpd/modules/mod_auth_ldap.so
    httpd 3512 apache mem REG 0,95 35936 39788656 /usr/lib/httpd/modules/mod_include.so
    httpd 3512 apache mem REG 0,95 18432 39788659 /usr/lib/httpd/modules/mod_log_config.so
    httpd 3512 apache mem REG 0,95 5084 39788650 /usr/lib/httpd/modules/mod_env.so
    httpd 3512 apache mem REG 0,95 19632 39788664 /usr/lib/httpd/modules/mod_mime_magic.so
    httpd 3512 apache mem REG 0,95 6528 39788643 /usr/lib/httpd/modules/mod_cern_meta.so
    httpd 3512 apache mem REG 0,95 8568 39788651 /usr/lib/httpd/modules/mod_expires.so
    httpd 3512 apache mem REG 0,95 12704 39788647 /usr/lib/httpd/modules/mod_deflate.so
    httpd 3512 apache mem REG 0,95 10656 39788654 /usr/lib/httpd/modules/mod_headers.so
    httpd 3512 apache mem REG 0,95 8576 39788677 /usr/lib/httpd/modules/mod_usertrack.so
    httpd 3512 apache mem REG 0,95 8608 39788671 /usr/lib/httpd/modules/mod_setenvif.so
    httpd 3512 apache mem REG 0,95 13308 39788663 /usr/lib/httpd/modules/mod_mime.so
    httpd 3512 apache mem REG 0,95 80316 39788645 /usr/lib/httpd/modules/mod_dav.so
    httpd 3512 apache mem REG 0,95 17172 39788673 /usr/lib/httpd/modules/mod_status.so
    httpd 3512 apache mem REG 0,95 28640 39788641 /usr/lib/httpd/modules/mod_autoindex.so
    httpd 3512 apache mem REG 0,95 5032 39788635 /usr/lib/httpd/modules/mod_asis.so
    httpd 3512 apache mem REG 0,95 12172 39788657 /usr/lib/httpd/modules/mod_info.so
    httpd 3512 apache mem REG 0,95 39324 39788646 /usr/lib/httpd/modules/mod_dav_fs.so
    httpd 3512 apache mem REG 0,95 7556 39788678 /usr/lib/httpd/modules/mod_vserver_alias.so
    httpd 3512 apache mem REG 0,95 26532 39788665 /usr/lib/httpd/modules/mod_negotiation.so
    httpd 3512 apache mem REG 0,95 5820 39788648 /usr/lib/httpd/modules/mod_dir.so
    httpd 3512 apache mem REG 0,95 11612 39788655 /usr/lib/httpd/modules/mod_imap.so
    httpd 3512 apache mem REG 0,95 5824 39788633 /usr/lib/httpd/modules/mod_actions.so
    httpd 3512 apache mem REG 0,95 9180 39788672 /usr/lib/httpd/modules/mod_speling.so
    httpd 3512 apache mem REG 0,95 6496 39788676 /usr/lib/httpd/modules/mod_userdir.so
    httpd 3512 apache mem REG 0,95 9308 39788634 /usr/lib/httpd/modules/mod_alias.so
    httpd 3512 apache mem REG 0,95 53920 39788670 /usr/lib/httpd/modules/mod_rewrite.so
    httpd 3512 apache mem REG 0,95 32540 39788666 /usr/lib/httpd/modules/mod_proxy.so
    httpd 3512 apache mem REG 0,95 30540 39788668 /usr/lib/httpd/modules/mod_proxy_ftp.so
    httpd 3512 apache mem REG 0,95 19468 39788669 /usr/lib/httpd/modules/mod_proxy_http.so
    httpd 3512 apache mem REG 0,95 7664 39788667 /usr/lib/httpd/modules/mod_proxy_connect.so
    httpd 3512 apache mem REG 0,95 22580 39788642 /usr/lib/httpd/modules/mod_cache.so
    httpd 3512 apache mem REG 0,95 4764 39788674 /usr/lib/httpd/modules/mod_suexec.so
    httpd 3512 apache mem REG 0,95 13120 39788649 /usr/lib/httpd/modules/mod_disk_cache.so
    httpd 3512 apache mem REG 0,95 8092 39788653 /usr/lib/httpd/modules/mod_file_cache.so
    httpd 3512 apache mem REG 0,95 19008 39788662 /usr/lib/httpd/modules/mod_mem_cache.so
    httpd 3512 apache mem REG 0,95 20188 39788644 /usr/lib/httpd/modules/mod_cgi.so
    httpd 3512 apache mem REG 0,95 1544468 39788977 /usr/lib/httpd/modules/libphp4.so
    httpd 3512 apache mem REG 0,95 93444 32613208 /lib/libnsl-2.3.4.so
    httpd 3512 apache mem REG 0,95 2784 32729460 /usr/lib/libpspell.so.15.0.3
    httpd 3512 apache mem REG 0,95 657289 32810612 /usr/lib/sse2/libgmp.so.3.3.3
    httpd 3512 apache mem REG 0,95 190980 32729464 /usr/lib/libcurl.so.3.0.0
    httpd 3512 apache mem REG 0,95 70388 32729193 /usr/lib/libbz2.so.1.0.2
    httpd 3512 apache mem REG 0,95 192324 32729322 /usr/lib/libidn.so.11.4.6
    httpd 3512 apache mem REG 0,95 618900 32729458 /usr/lib/libaspell.so.15.0.3
    httpd 3512 apache mem REG 0,95 793000 32729211 /usr/lib/libstdc++.so.6.0.3
    httpd 3512 apache mem REG 0,95 29308 32613184 /lib/libgcc_s-3.4.4-20050721.so.1
    httpd 3512 apache mem REG 0,95 45800 32613224 /lib/libnss_files-2.3.4.so
    httpd 3512 apache mem REG 0,95 10132 47464511 /usr/local/Zend/lib/ZendExtensionManager.so
    httpd 3512 apache mem REG 0,95 41076 39780456 /usr/lib/php4/mysql.so
    httpd 3512 apache mem REG 0,95 1255368 34267142 /usr/lib/mysql/libmysqlclient.so.14.0.0
    httpd 3512 apache mem REG 0,95 980772 47464520 /usr/local/Zend/lib/Optimizer-3.0.1/php-4.3.x/ZendOptimizer.so
    httpd 3512 apache 0r CHR 1,3 32612988 /dev/null
    httpd 3512 apache 1w CHR 1,3 32612988 /dev/null
    httpd 3512 apache 2w REG 0,95 3958834 29827146 /var/log/httpd/error_log
    httpd 3512 apache 3u IPv4 1343951534 TCP domainhost.us:http (LISTEN)
    httpd 3512 apache 4r FIFO 0,7 1343951591 pipe
    httpd 3512 apache 5w FIFO 0,7 1343951591 pipe
    httpd 3512 apache 6w REG 0,95 3958834 29827146 /var/log/httpd/error_log
    httpd 3512 apache 7w REG 0,95 1134764862 29827145 /var/log/httpd/access_log
    httpd 3512 apache 8u REG 0,95 0 50249732 (deleted) /tmp/ZCUD2oYCM9
    /code]


    netstat shows no connections..(sample)

    [code]
    [[email protected] ~]# netstat -n
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxx.xxx.70.102:22 24.87.27.189:61965 ESTABLISHED
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4821 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4820 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4819 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4818 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4817 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4816 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4807 ESTABLISHED
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4806 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4805 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4804 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4803 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4802 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4801 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4800 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4815 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4814 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4813 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4812 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4811 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4810 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4809 TIME_WAIT
    tcp 0 3226 xxx.xxx.70.102:80 222.212.224.171:3744 FIN_WAIT1
    tcp 0 0 xxx.xxx.70.102:80 203.175.141.42:4808 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 221.232.56.11:1132 TIME_WAIT
    tcp 0 369 xxx.xxx.70.102:80 221.232.56.11:1130 FIN_WAIT1
    tcp 0 0 xxx.xxx.70.102:80 221.232.56.11:1131 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 221.232.56.11:1149 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 221.232.56.11:1150 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 61.153.44.87:15483 TIME_WAIT
    tcp 0 959 xxx.xxx.70.102:80 221.232.56.11:1167 FIN_WAIT1
    tcp 0 5691 xxx.xxx.70.102:80 61.153.44.87:15838 FIN_WAIT1
    tcp 0 0 xxx.xxx.70.102:80 61.153.44.87:15868 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4156 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4159 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4153 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4152 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4155 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4154 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4149 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4151 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4150 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4147 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4146 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4143 TIME_WAIT
    tcp 0 288 xxx.xxx.70.102:22 69.117.99.139:33066 ESTABLISHED
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4172 TIME_WAIT
    tcp 0 10602 xxx.xxx.70.102:80 60.216.193.189:50001 FIN_WAIT1
    tcp 0 0 xxx.xxx.70.102:80 218.94.6.26:4170 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 219.139.252.153:44267 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 219.139.252.153:44259 TIME_WAIT
    tcp 0 0 xxx.xxx.70.102:80 219.139.252.153:44286 TIME_WAIT
    tcp 0 1 xxx.xxx.70.102:80 219.139.252.153:44284 CLOSING
    tcp 0 1 xxx.xxx.70.102:80 219.139.252.153:44285 LAST_ACK


    I've installed prm, apf, bfd, dosdeflate, spri, lsm, few others


    It appears the attack is on port 80 but I cannot trace it.
    Attached Thumbnails Attached Thumbnails top.gif  
    Last edited by r00t pAsSw0rd; 09-17-2006 at 01:22 AM.

  2. #2
    Join Date
    Apr 2004
    Location
    San Jose
    Posts
    902
    Can you tell us why you think your system is under attack?

    Is it possible you've turned off KeepAlive? That would explain all the TIME_WAITs for closed connections from the same IPs.
    Specializing in MySQL and website tuning for high traffic sites. cmwsci.com/

  3. #3
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Server load seems alright. This a plesk or directadmin box?
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  4. #4
    Hi,

    Your server seems to be working fine...

    /usr/sbin/lsof -p 3512 result is providing you the library and files that are used by the process in execution. When you use netstat... there will be always some sort of listing related to time_wait, and this might be becase of may reasons. With these details it dosnt seem or we cannot confirm you server is under attack. Also without knowing the actual server usage and other things... we cannot recommed and settings modification in apache.
    liwiplus Team,
    http://www.liwiplus.com
    The Support Sages

  5. #5
    netstat -ntu | grep ":80" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


    run it like 5 times in 2 minutes
    if you find an ip or some ips. going up with many connections fastly not like any other Ip then its a Apache flood

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •