The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I block a specific incomming http request

Discussion in 'General Discussion' started by noimad1, May 6, 2005.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    We are recieving a ddos attack for one of our domains on a specific file. If I do an apache status I see these requests:

    0.0 0.00 0.03 209.105.192.159 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    110-0 - 0/0/38 . 0.00 198 0 0.0 0.00 0.01 217.195.69.154 www.dxfonline.com GET /webadm/web.php HTTP/1.0
    111-0 - 0/0/34 . 0.01 249 0 0.0 0.00 0.01 64.163.127.59 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    112-0 - 0/0/37 . 0.00 234 0 0.0 0.00 0.02 80.178.6.147 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    113-0 - 0/0/31 . 0.00 246 1 0.0 0.00 0.01 68.209.4.185 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    114-0 - 0/0/35 . 0.01 167 0 0.0 0.00 0.01 65.80.232.141 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    115-0 - 0/0/34 . 0.02 165 0 0.0 0.00 0.02 68.154.12.34 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    116-0 - 0/0/32 . 0.00 166 0 0.0 0.00 0.01 216.177.12.148 www.dxfonline.com GET /webadm/web.php HTTP/1.1
    117-0 - 0/0/30 . 0.01 164 0 0.0 0.00 0.01 24.22.84.80 www.dxfonline.com GET /webadm/web.php HTTP/1.1

    I believe they are spoofing the IP address's becuase they are all different (thousands of them).


    But since they are all trying to "GET" the same file, is there anywhere that I could define and block that one incomming "GET" request.

    I've already chmod 000 and chattr +i the file, so they can't actually get to the file, but we still see all of these incomming requests tying up apache.
     
    #1 noimad1, May 6, 2005
    Last edited: May 6, 2005
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You can implement mod_dosevasive to help control this.
     
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    I'm not sure if that would help here as every request comes from a different IP addrses. Per the mod_doevasive description:

    Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

    * Requesting the same page more than a few times per second
    * Making more than 50 concurrent requests on the same child per second
    * Making any requests while temporarily blacklisted (on a blocking list)



    I think that would only help if the were using one IP or just a small list of IP's.

    What I am wondering is if there is a way in apf or iptables, or something simliar where I can block and incomming request via a specific string such as "/webadm/web.php"
     
  4. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    As I suspected, I installed the mod_dosevasive and it has no affect on this kind of attack.

    Does anyone else have any ideas?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  6. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the info. I read through that whole page and couldn't really figure out if any of them could help me out in this case. I don't want anyone to have to spend too much time on this, but if you have experience with the mod_rewrite can you give me an example of how I can block anyone from viewing a specific page.

    What I am really trying to do is block the entire http request so it doesn't fill apache up with a ton of requests like it is doing now...

    I chmod'd the files to 000 so if you try to access them it gives you a forbidden page. This keeps my serverload fairly low, but still causes apache to fill up with http requests.
     
  7. elenlace

    elenlace Well-Known Member

    Joined:
    Sep 10, 2002
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    Is not a DDOS attack, is a virus

    Hi,

    This is not a DDOS attack, is a virus trying to download a file from your server.

    We had the same problem last week, no way you can really stop this, the only "solution" is to take the offended domain out of your DNS.

    The domain in question is compromised as the virus writers uploaded a /webadm/web.php file, look for it, it should be there. We had to take the domain out of the DNS and give the customer a new domain as the requests didn't stop and will not stop until the virus is containted. Apparently, is a new version of the BAGLE virus.

    Hope this helps.
     
  8. pshepperd

    pshepperd Well-Known Member

    Joined:
    Feb 12, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Could also setup your firewall with a string module for iptables, to find and remove that specific string.but if its a local virus, this just keeps the rest of the world safe :)
     
  9. rgripoll

    rgripoll Active Member

    Joined:
    Mar 19, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    I'm having the same problem, how can I do that?

    I use apf
     
  10. rgripoll

    rgripoll Active Member

    Joined:
    Mar 19, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    OK, I've fixed it with mod_security, with this rules:

    SecFilterSelective THE_REQUEST "/z.php" "deny"
    SecFilterSelective THE_REQUEST "/w.php" "deny"
     
    #10 rgripoll, Dec 14, 2005
    Last edited: Dec 14, 2005
  11. faqall

    faqall Active Member

    Joined:
    Jul 17, 2004
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Using mod security and adding it to your filter in the httpd.conf WILL stop this attack. I did it when the phpbb worm broke loose.

    Here is a very helpful link:

    http://www.eth0.us/mod_security
     
  12. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    If they're all requesting the same thing...

    SecFilter "webadm/web.php"
    Then you can write a custom script to block the IP at the firewall in real time to prevent any additional traffic from the offender.
     
Loading...

Share This Page