The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with DDoS

Discussion in 'General Discussion' started by Website Rob, Nov 4, 2003.

  1. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Bit of a sticky wicket here as I can't quite determine what command is being used.

    Error logs show: request failed: URI too long -- but don't see how that will help in any way.

    In WHM > Apache Status it shows as:
    SEARCH /?±±±±±±±±±±±±±±±±±±±±±±±±±±±

    but it will copy & paste as:
    SEARCH /±±±±±±±±±±±±±±±±±±±±±±±±±±±


    Tried doing a Redirect through httpd.conf but no luck

    copy & paste as:
    RedirectMatch Permanent ^/(.*/\.*)$ /404.shtml

    Apache shows as:
    RedirectMatch Permanent ^/(.*/^B^B\.*)$ /404.shtml

    As more IPs are available to them, then a I want to block, anyone know of another way of blocking -- the command they use?
     
  2. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    This SEARCH /? is it directly from a search engine on your web site?

    Last I encountered a problem like this it had to do with a script error on one of my own sites. If I recall it had something to do with a POST and GET method. It's been so long I don't even remember how I fixed it.

    If it is a search script located on your site I would disable it to see if the errors go away.

    You could throw this at google also: request failed: URI too long

    Regards,

    Pete
     
  3. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Although you bring up a good point, I do not believe it from inside -- on the Server.

    The cycle is about 2 requests a minute, always 48 byte packets, and requests are coming from outside the Server as the IPs being used repeat. Some of the IPs I've blocked show they have been dropped.

    I've recorded about 50 different IPs so far although, I haven't blocked them all. It seems that as I block some, new ones are used. IPs are all from various subnets and cannot block a whole class -- have to do them individually. I could continue to that, but would end up with about 100 in the IP Tables -- never gone that high before.


    Looking for Ideas here and any input is appreciated.
     
  4. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    when apache shows you through WHM the status of SEARCH /?
    is there a search engine on that website?

    Just to clear that it has nothing to do with the search script on that website if one exist I would disable it for now to see the results.

    If no search script exist on the site and all request begin with SEARCH I would redirect it to an error page.

    Regards,

    Pete
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Apache Status shows it is using different accounts for access. Again, blocking outside IPs has some effect so I know the requests are not coming from anything on the Server.

    Trying to do a Redirect through httpd.conf has not worked because I don't know what to redirect -- see first post.

    I've just finished doing a second manual reboot within 24 hrs, because Server load has gone so high nothing was working -- even though the Server still showed as up. After about 10 minutes the DDoS starts again.

    I'm thinking this has something to do with a Spammer I blocked about 2 weeks ago. Logs show the DDoS started Nov. 2.
     
  6. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Have you notified your NOC about this?

    also if all attacks start out with the SEARCH it wouldn't hurt to have it redirect to an error page.

    I can't see an attacker being able to attack through over 100 ip's without this attack being an error coming from an out side script that is installed on the server.

    What are you using for a fire wall?

    does your firewall support ddos?

    Regards,

    Pete
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I would love to be able to redirct it, the question is how? Methods already mentioned have proved ineffective.
     
  8. wsscom

    wsscom Registered

    Joined:
    Apr 28, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Just curious if you ever figured thsi out I am getting attacked on my search script and haver no idea how to stop this. It crashes the server and puts me out of business. Any help would be great.

    Joe
     
  9. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    Seems to be an IIS WebDAV exploit.
    Router Worm?

    Do a Google or your fav search engine for SEARCH /\x90\ and see what you come up with.

    I found a couple of links that might help explain things but nothing to kill the logs being filled with this win rubbish. It does not effect Linux exept makes a mess in the log files.

    http://edgeos.com/threats/details.php?id=11413
    http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf

    Anyone comes up with a way to stop it before it reaches the logs will get my eternal gratitude. I have tried all the usual blocking techniques but to no avail.

    Edit:
    From a forum:
    Posted: Thu Nov 20, 2003 11:20 am Post subject: Re: Router Worm?
    its welchia/nachi. when it can't connect via 135/tcp, it will attempt an
    exploit against a webdav server (see MS03-007).

    So do a web search for this worm might come up with some answers and clues about how to crunch this worm and its mess.

    Symantech has some details but no help to Linux users.
    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
    Here is some info also:
    http://www.iss.soton.ac.uk/security/nachi.html

    And if you still have a sense of humour left read this blog:
    http://www.alanbarber.org/blog/000056.html
    which seems to point to a re-emergence of this worm as it was supposed to die on Jan 01 2004
     
    #9 Izzee, Apr 28, 2004
    Last edited: Apr 28, 2004
Loading...

Share This Page