The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Got Attacked

Discussion in 'EasyApache' started by Christleo, Jul 12, 2003.

  1. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Process List:

    nobody 26228 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26229 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26230 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26231 0.0 0.7 12100 7692 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26232 0.0 0.7 12084 7664 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26233 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26234 0.0 0.7 13268 7652 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26235 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26237 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26238 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26239 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26240 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26241 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26242 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26243 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26244 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26245 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26246 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26247 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26248 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26249 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26250 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26251 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26252 6.0 0.9 13360 9412 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26255 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26256 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26257 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26258 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26259 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26260 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26261 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26262 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26263 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26264 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26265 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26266 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26267 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26268 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26269 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26270 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26271 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26272 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26273 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26274 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26275 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26276 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26277 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26278 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26279 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26280 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26281 0.0 0.7 12080 7584 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26282 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26283 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26284 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26285 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL
    nobody 26286 0.0 0.7 12080 7608 ? S 01:59 0:00 /usr/local/apache/bin/httpd -DSSL

    And many more!

    /usr/local/apache/logs/error_log


    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.61.150] request failed: erroneous characters after protocol string: USER Vortex 203.125.61.150 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 220.255.54.155] request failed: erroneous characters after protocol string: USER Vortex 220.255.54.155 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.6.128] request failed: erroneous characters after protocol string: USER Vortex 169.254.254.118 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.224.123] request failed: erroneous characters after protocol string: USER Vortex 210.24.224.123 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.224.123] request failed: erroneous characters after protocol string: USER Vortex 210.24.224.123 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.225.18] request failed: erroneous characters after protocol string: USER Vortex 210.24.225.18 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.224.123] request failed: erroneous characters after protocol string: USER Vortex 210.24.224.123 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 220.255.54.155] request failed: erroneous characters after protocol string: USER Vortex 220.255.54.155 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 202.156.67.84] request failed: erroneous characters after protocol string: USER Vortex 202.156.67.84 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 202.156.67.84] request failed: erroneous characters after protocol string: USER Vortex 202.156.67.84 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.224.123] request failed: erroneous characters after protocol string: USER Vortex 210.24.224.123 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.6.128] request failed: erroneous characters after protocol string: USER Vortex 169.254.254.118 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.6.128] request failed: erroneous characters after protocol string: USER Vortex 169.254.254.118 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 210.24.224.123] request failed: erroneous characters after protocol string: USER Vortex 210.24.224.123 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 220.255.54.155] request failed: erroneous characters after protocol string: USER Vortex 220.255.54.155 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.114.72] request failed: erroneous characters after protocol string: USER Vortex 10.10.10.7 123.123.123.123 :IRC Component
    [Sat Jul 12 22:17:00 2003] [error] [client 203.125.61.150] request failed: erroneous characters after protocol string: USER Vortex 203.125.61.150 123.123.123.123 :IRC Component
    Many many more.....

    Where by 123.123.123.123 is server Ip
    Vortex is no such user....
    No Shell Access for any user...

    This causes httpd to over load and page cannot be found on site..

    All Ip Attacking From SINGAPORE...
    Visited their ISP web, all are from different ISP with BoardBand Access.... Also With Different IP and ISP

    This Attacked Have last 6hrs and still continue

    Per hour logging of error_logs is about 100mb


    Any Idea on How to fix this?
     
    #1 Christleo, Jul 12, 2003
    Last edited: Jul 12, 2003
  2. dthigpen

    dthigpen Active Member

    Joined:
    May 29, 2003
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Apex, NC
    Add....

    Add an IP tables chain to drop requests from all those IP blocks in singapore.

    cPanel.net Support Ticket Number:
     
  3. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    You need to block the IP's with your firewall or straight iptables commands if you don't have a firewall. It's the only thing that will stop it.

    cPanel.net Support Ticket Number:
     
  4. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Erm... I can't block all singapore IP as there are some singapore client i have, so there is no other alternative??

    cPanel.net Support Ticket Number:
     
  5. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Well, you can try blocking the selected IP's. But you may have to take out more. You can also run a whois on each and contact their ISP's abuse department. In the long run, you may have to make a choice. How many clients would you lose taking out IP blocks in Singapore versus all the rest of the clients on the server?
     
  6. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Is there anyway to block just the

    request failed: erroneous characters after protocol string: IRC Component

    cPanel.net Support Ticket Number:
     
  7. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    They are DOS'ing your sever with bots. The only way to stop them is to take the IP's out with iptables, either via firewall or direct command. You can not let them get into your server. And who knows what they are really trying to do. They my be trying to break something down so they can get root. You need to stop them immediately or you could be in even more trouble.
     
  8. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    DDOS can get root? is that serious of it, because what my knowledge ddos is just an attack...

    there are lots of IP address attacking it, i dont think that they know they are attacking it, but just hacker use their IP to mask attack..

    I can't manage to block all the IP above, the log is about 100mb since yesterday

    Please advice..

    cPanel.net Support Ticket Number:
     
  9. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Well, I've told you what I would do. I don't really know what else to say. Good luck with them.
     
  10. NiteStalker22

    NiteStalker22 Active Member

    Joined:
    May 13, 2002
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Ditto on the IPChains/IPTables thing.. that's about the only way... at least to slow them down for now. You can always add individual IPs to the 'ACCEPT' list after dropping the entire block.


    Use..

    ipchains -L input

    OR

    iptables -L INPUT

    ..and see if anything (Or much of anything shows up.). If only a few lines ya don't really need, then run these. . .


    If you have IPChains..

    ipchains -F
    ipchains -A input -s 123.123.123.0/24 -j DENY


    If you have IPTables..

    iptables -F
    iptables -A INPUT -s 123.123.123.0/24 -j DROP


    If you need to allow someone after the fact..

    ipchains -I input 1 -s 123.123.123.123 -j ACCEPT

    OR

    iptables -I INPUT 1 -s 123.123.123.123 -j ACCEPT


    That's it. I'd check `cd && perl ../scripts/userps` as well. . .

    Maybe also dump the contents of the /usr/local/apache/domlogs directory or cp -a it to somewhere temporary..

    cd && cd ../usr/local/apache && cp -a ./domlogs ./tmp-domlogs && rm -f ./domlogs/* && cd ./domlogs && ls -lh ./

    See what shows up first and fills the fastest. Then suspend the user and edit the owner of /var/cpanel/users/username to 'OWNER=root' (So the reseller can't unsuspend.) ...

    I know this because sometimes a single domain can be pulling a lot of traffic and it makes things out to be a ddos.. when it's really not.

    G'luck.

    cPanel.net Support Ticket Number:
     
  11. Curt

    Curt Well-Known Member

    Joined:
    Oct 16, 2001
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Christleo,
    How did you end up handling this? I have seen this same attack and I have been manually blocking the IP in my APF firewall.

    I am now looking to get a script created that would tail my error_log and look for IRC, then grab the source IP, see if it is in the firewall flat file, if not add it and restart the firewall. Now I just have to find someone to write the script :)

    cPanel.net Support Ticket Number:
     
  12. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Christ Leo Can't Advice Here..

    What i do is to remove the IP from the server, it work! after a few while, those attack stop, and i just add it back.

    cPanel.net Support Ticket Number:
     
  13. Curt

    Curt Well-Known Member

    Joined:
    Oct 16, 2001
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the reply. I was gettgin way too many random IP addree's to fight it manually so I ended up paying to have a script written that works with the APF firewall and it does the following:

    - Tails the /usr/local/apache/logs/error_log and grep for the following "IRC Component" (THIS WOULD NEED TO TAIL LIKE 50 or 100 LINES, LOOK AND GRAB MULTIPLE IP's IF MORE THAN ONE ATTACK)
    ============================
    [Sun Aug 17 13:19:25 2003] [error] [client 217.209.97.58] request failed: erroneous characters after protocol string: USER Vortex 192.168.2.100 109.50.253.23 :IRC Component
    ============================
    - Then it would copy the source IP or IP's from the "[client 217.209.97.58]" portion of the string
    - Then it would search for the IP in the /etc/apf/deny_hosts.rules file and if the IP exists in the file the script would just quit.
    - If the IP does not exist in the /etc/apf/deny_hosts.rules file than append it to the end of the file and save it.
    - If it has appended an IP to the /etc/apf/deny_hosts.rules file then restart the firewall by issuing this command /usr/local/sbin/apf -restart
    - It may also have to restart apache
    - email me a message with the IP that was added.

    It is installed and seems to be working though it is still being tweaked a bit but I think this will lick the problem :)

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page