The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Logs show incoming attack? What is it?

Discussion in 'General Discussion' started by bmcpanel, Oct 24, 2002.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    One of my servers receives a barrage of attacks from a single IP about once per day. (See excerpt from logs below). It seems that they are using http to hit the server and the server sends a &408& error code.


    vi /usr/local/apache/logs/access_log
    -----------------
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:29 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:30 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:31 -0400] &-& 408 -
    61.129.81.37 - - [24/Oct/2002:16:58:32 -0400] &-& 408 -
    -----------------

    This causes hundreds of HTTP processes to be spurned and the server bogs down and the load average goes up.

    I know how to block this once I find it by doing a &null route&. However, I dont even know what the hell this is? How is this asshole causing a &408& error? What is a 408 error?

    If anyone has any info, please let me know. If I have more info, maybe I can defeat this loser.
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I'll bump this up because this is vital and will be useful to all. This seems to be a NEW type of DOS attack that causes the MaxClients error which causes Cpanel to generate an email to warn. It will cause legitimate http (web page) requests to fail and your customers will be pissed.

    Don't ignore this. This type of attack is commonly generated from China and seems to be either a DOS or an attempt to flood some buffer to get root access. I am not sure. If there is anyone with more info about this type of attack, please share with us.
     
  3. Tom Pyles

    Tom Pyles Well-Known Member

    Joined:
    Apr 26, 2002
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Did you see this thread yet?
    http://216.118.116.105/read.php?TID=5350

    Other users are seeing it too...I've seeing it on our servers also. I've noticed in ours the attacks don't last long...
     
Loading...

Share This Page