The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache being Attacked

Discussion in 'EasyApache' started by ccccanada, Sep 2, 2004.

  1. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Hello!

    I have one domain on one of our servers that seems to be going through some type of attack the problem is it is also taking down Apache and the whole server keeps going down.

    Under WHM "Apache Status" I see hundreds of the following always requesting 6.jpg or b.jpg but each request is comming from a different IP address.


    0-658 11880 1/1/67654 K 0.00 15 0 0.4 0.000 500.64 201.8.62.1 domain.com GET /6.jpg HTTP/1.1
    1-658 11883 1/1/67783 K 0.01 14 0 0.4 0.000 527.16 200.151.80.114 domain.com GET /6.jpg HTTP/1.1
    2-658 11878 1/2/66697 K 0.01 14 2 0.4 0.000 614.09 63.203.101.147 domain.com GET /b.jpg HTTP/1.1

    There where 1.5 million requests within a 10 hour period and Apache keeps going down.

    The only way of stopping this is by deleting the domain that is being attacked and then everything goes back to normal after a while but if I create the domain again after a couple of days it's the same thing again immediately.

    There is no increase in bandwidth and the CPU load is fairly low 0.36 (4 cpus)

    Has anyone experienced such an attack and has a way of fighting this??

    Since this could happen to any one of us I think this should be fairly important to everyone.

    Please help with this problem if you have an answer.

    Thank you!
     
  2. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Has nobody else had this type of attack??
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would suggest that you check the referrer logs for the domain to see if the requests are coming from another web site. An example where I have seen this is where people store message board avatar images on their website and then reference them from message boards which can really be bandwidth hogs.

    One way to block that kind of activity is to use the "Hotlink Protection" feature in Cpanel.
     
  4. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the reply!

    That is not the problem Hotlink Protection is enabled and the requests are coming from millions of different IP addresses.

    The images requested do not nor have they ever existed in that website.
    The website is a 4 page html website with no guestbooks or forums or anything else.

    Also there is no bandwidht to speak of the only thing is that apache gets an incredible amount of requests per second and cant handle it.

    This is the strangest thing I have ever seen and the response from my datacenter is that maybey my server cant handle a site such as this.

    webalizer shows 150,000 hits and sites per hour but no visitors or bandwidth.

    awstats does not show anything.
     
  5. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Is this a VPS? If not, install apf and turn on the anti-dos feature.
     
  6. ccccanada

    ccccanada Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    Hi Casey!

    Thats done already I had a whole security package installed and nothing helped.

    Thanks for the response though.

    Harold
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Did that package include mod_dosevasive? It can be a bit hit and miss, but when it works, it does the job.
     
  8. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Hmm and do you have mod security installe also ??
     
Loading...

Share This Page