The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ddos attack?

Discussion in 'General Discussion' started by Zion Ahead, Oct 2, 2007.

  1. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    I have an issue here. httpd is slagging big time and my max clients is 300.

    I see this when running netstat


    Code:
    root@server5 [~]# netstat
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State      
    tcp        0      0 websitesforafrica.com:http  190.42.243.192:1916         SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  200.121.167.193:11641       SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  client-201.230.113.17:14327 SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  190.42.84.253:3244          SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  201.230.98.64:15059         SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  166.114.122.41:62881        SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  190.42.151.252:17097        SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  190.41.24.108:3421          SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  190.43.1.42:1392            SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  201.230.79.5:60836          SYN_RECV    
    tcp        0      0 websitesforafrica.com:http  client-200.121.153.56:27208 SYN_RECV    

    Code:
    root@server5 [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
         48 190.42.66.138
         39 190.154.6.203
         28 190.40.51.130
         23 200.121.81.76
         14 207.67.35.142
         13 201.230.224.200
         13 
         11 201.240.178.114
         11 190.77.9.81
         10 201.230.113.175
         10 200.58.160.148
         10 190.41.5.161
          9 201.230.254.69
          9 201.230.135.146
          9 190.43.187.139
          8 200.60.248.119
          7 72.14.195.205
          7 190.42.48.224
          6 200.121.7.31
          6 200.121.223.55
          6 200.121.141.48
          6 200.121.141.186
          6 200.106.37.206
          6 190.42.51.165
          6 190.41.64.13
          5 201.250.55.166
          5 201.240.42.233
          5 201.240.3.61
          5 201.240.113.73
          5 201.240.0.94
          5 201.208.123.190
          5 200.87.203.94
          5 200.121.171.61
          5 200.121.136.238
          5 200.106.47.236
          5 190.42.71.207
          5 190.42.221.73
          5 190.42.194.20
          5 190.42.152.250
          5 190.41.32.40
          4 201.240.48.131
          4 201.240.205.141
          4 201.240.196.217
          4 201.240.124.201
          4 201.240.124.131
          4 201.230.233.68
          4 201.230.195.165
          4 201.230.129.58
          4 201.222.87.163

    How do I find out the cause of this? I have no idea who websitesforafrica.com is anyway
     
  2. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    root@server5 [~]# ps aux | grep -c httpd
    502

    I've done killall -9 httpd numerous times as well, skyrockets again with loads of httpd processes after

    root@server5 [~]# netstat -ntp | grep :80 -c
    1110
     
    #2 Zion Ahead, Oct 2, 2007
    Last edited: Oct 2, 2007
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Sure looks like it could be a ddos. What are they hitting on that site? A single page? Have mod_evasive installed?
     
Loading...

Share This Page