The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Under attack!?!?

Discussion in 'General Discussion' started by SHSaeed, Nov 2, 2002.

  1. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hi, Apache keeps failing and trying to increase the maxclients and I checked the access logs and here's what I found (tons of it!!!!)...

    [quote:f41b5e68f2]209.115.165.187 - - [02/Nov/2002:12:10:19 -0500] &GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.115.165.187 - - [02/Nov/2002:12:10:20 -0500] &GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.115.165.187 - - [02/Nov/2002:12:10:20 -0500] &GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.115.165.187 - - [02/Nov/2002:12:10:21 -0500] &GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.115.165.187 - - [02/Nov/2002:12:10:24 -0500] &GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 -
    209.115.165.187 - - [02/Nov/2002:12:10:28 -0500] &GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 -
    209.115.165.187 - - [02/Nov/2002:12:10:28 -0500] &GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.115.165.187 - - [02/Nov/2002:12:10:29 -0500] &GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -

    66.137.243.249 - - [02/Nov/2002:12:37:52 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:53 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:53 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:53 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:54 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:54 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:55 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:56 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:37:58 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:38:00 -0500] &-& 408 -
    66.137.243.249 - - [02/Nov/2002:12:38:01 -0500] &-& 408 -

    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /scripts/root.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /MSADC/root.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -

    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /scripts/root.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /MSADC/root.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -
    209.170.112.107 - - [02/Nov/2002:16:49:34 -0500] &GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 -[/quote:f41b5e68f2]

    And so on..... From about 5-6 different IP addresses.

    Would [b:f41b5e68f2]/sbin/route add -host xxx.xxx.xxx.xxx reject[/b:f41b5e68f2] help in this situation?
     
  2. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Looks like all IIS vuln's - you wont be affected running apache.

    Ofcourse if its killing apache or something
    iptables -I INPUT 1 -s xxx.xxx.xxx.xxx -j DROP

    or the command of your choice ;)

    Andy.
     
  3. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, it seems to have stopped for now but I notice this every now and then (usually a lot shorter though). How can this be stopped permanently? I've checked the logs and it seems they change IPs all the time!

    Here are some IPs that attacked this time...

    208.40.29.165

    209.11.163.69
    209.115.165.187
    209.170.112.107

    66.32.155.169
    66.137.243.249
    66.200.182.180
     
  4. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hmm, Apache still doesn't seem to work. When I do a restart it shows way too many pids...

    [quote:5483374975]14715 14714 14713 14711 14710 14709 14708 14705 14704 14703 14702 14701 14700 14699 14698 14697 14696 14695 14694 14693 14692 14691 14690 14689 14688 14687 14686 14685 14684 14683 14682 14681 14680 14679 14678 14677 14676 14675 14674 14672 14671 14670 14669 14668 14667 14666 14665 14664 14663 14662 14661 14660 14659 14658 14657 14656 14655 14654 14652 14651 14650 14649 14648 14647 14646 14645 14644 14643 14642 14641 14640 14632 14631 14630 14629 14628 14627 14626 14625 14624 14623 14622 14621 14620 14619 14618 14617 14616 14615 14614 14613 14612 14611 14610 14609 14608 14607 14606 14605 14604 14603 14602 14601 14600 14599 14598 14597 14596 14595 14594 14593 14592 14591 14589 14588 14587 14586 14585 14584 14583 14582 14581 14580 14579 14578 14577 14576 14573 14572 14571 14570 14569 14568 14567 14566 14565 14564 14563 14562 14555

    httpd started ok[/quote:5483374975]

    Anything I can do about this? I've tried restarting it and I also checked the access logs and the attacks seems to have stopped!
     
  5. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Found a way to block the attackers...

    [b:391f7babab]ipchains -A input -s &IP&/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY[/b:391f7babab]

    By replacing &IP& with the attacking IP you will block them on all ports.
     
  6. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    (SH) Saeed,
    Most of those attacks that you have listed in your post are not harmful to Linux and Apache, (they are Windows attacks) those users simply receive 404 not found error, FYI. we have thousands of such attacks on all of our servers without any problem.

    For blocking access to your box you can use either iptables or ipchains if your kernel has been compiled with iptables/ipchains support, (in your case it seems you have ipchains)

    However you can restrict access to your box by adding this line to:
    /etc/hosts.deny

    ALL : ip-address
     
  7. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    At first I thought it was the Windows attacks, but looking more into it I noticed Apache is being attacked. Whoever's attacking is sending hundreds of requests per seconds from different computers/IPs and causing Apache to reach its maxclients limit and stop serving websites. What we did is we wrote a script that checks the active connections every minute and if there are more than X active connections from one IP they will be added to ipchains and then it will restart Apache and email us the IPs.

    We had to do this since so far they've attacked from almost 100 different IPs and they're still at it.
     
  8. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:faedc59a4b][i:faedc59a4b]Originally posted by (SH)Saeed[/i:faedc59a4b]

    At first I thought it was the Windows attacks, but looking more into it I noticed Apache is being attacked. Whoever's attacking is sending hundreds of requests per seconds from different computers/IPs and causing Apache to reach its maxclients limit and stop serving websites. What we did is we wrote a script that checks the active connections every minute and if there are more than X active connections from one IP they will be added to ipchains and then it will restart Apache and email us the IPs.

    We had to do this since so far they've attacked from almost 100 different IPs and they're still at it.[/quote:faedc59a4b]

    These are called &Kiddie& attacks, if they become as a DoS attack you can protect yourself with string matching feature (patch) of iptables,
    If the http string matches that chain, that connection will be dropped automatically, however it can be configured for global string matching too. String matching is a bit expensive as the kernel must inspect all incoming packets (in this case http packets).
     
  9. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    This is what I use for repelling Virus attacks, which are usually for MS Servers anyway, but were cluttering up some of my log files -- and I just wanted to be done with them.

    RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*root\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*default\.ida.*)$ http://127.0.0.1/$1

    I use it in an .htaccess file and don't see why it cannot be adapted and used in this situation.

    I did not come up with it, someone passed it on to me, and I was told it basically sends the request(s) back to where they came from. I presume it works fine as Error logs are much smaller since they stopped showing up. Any pro's / con's to this method are more than welcome.
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:8a145f636d][i:8a145f636d]Originally posted by Website Rob[/i:8a145f636d]

    This is what I use for repelling Virus attacks, which are usually for MS Servers anyway, but were cluttering up some of my log files -- and I just wanted to be done with them.

    RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*root\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*default\.ida.*)$ http://127.0.0.1/$1

    I use it in an .htaccess file and don't see why it cannot be adapted and used in this situation.

    I did not come up with it, someone passed it on to me, and I was told it basically sends the request(s) back to where they came from. I presume it works fine as Error logs are much smaller since they stopped showing up. Any pro's / con's to this method are more than welcome.

    [/quote:8a145f636d]
    Solving these attacks this way (as you wrote) is [b:8a145f636d]illegal[/b:8a145f636d] Also not useful if they become as a DoS attack

    It is recommended to use what I wrote in my previous post in this thread:


    [quote:8a145f636d][i:8a145f636d]Originally Posted by ITF[/i:8a145f636d]
    These are called &Kiddie& attacks, if they become as a DoS attack you can protect yourself with string matching feature (patch) of iptables,
    If the http string matches that chain, that connection will be dropped automatically, however it can be configured for global string matching too. String matching is a bit expensive as the kernel must inspect all incoming packets (in this case http packets).
    [/quote:8a145f636d]
     
  11. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Not sure why you would say Illegal and by whose definition?

    Anyone has the right to block anyone they want (for no reason or explaination) from accessing their Server or any part thereof.
     
  12. newera

    newera Member

    Joined:
    Feb 28, 2002
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    So what's the solution????

    What can those of us that are either new to this, or don't completely understand
    the scripting or tweaking of the server, do to prevent or curb these attacks, or whatever you call them?

    I get the same thing here every couple of days, but not on all domains.
    Email is shown below:

    IMPORTANT: Do not ignore this email.
    Apache has reached the MaxClients
    limit. cPanel has increased the MaxClients limit to 170 (10 higher).

    You may wish to suspend the user with the largest access log as they
    are generally the person using up all of the avalible connections. However, your should
    have your system admin verify this first.

    Top 3 Largest access logs
    ====================================
    284 /usr/local/apache/domlogs/newerahost.com
    220 /usr/local/apache/domlogs/globalmlm.com
    132 /usr/local/apache/domlogs/ren-consultants.net

    If someone could explain what to do, and how to do it,
    in plain English, it would help more of us.
    Thanks.
     
  13. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:65e8c87417][i:65e8c87417]Originally posted by itf[/i:65e8c87417]

    [quote:65e8c87417][i:65e8c87417]Originally posted by Website Rob[/i:65e8c87417]

    This is what I use for repelling Virus attacks, which are usually for MS Servers anyway, but were cluttering up some of my log files -- and I just wanted to be done with them.

    RedirectMatch Permanent ^/(.*cmd\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*root\.exe.*)$ http://127.0.0.1/$1
    RedirectMatch Permanent ^/(.*default\.ida.*)$ http://127.0.0.1/$1

    I use it in an .htaccess file and don't see why it cannot be adapted and used in this situation.

    I did not come up with it, someone passed it on to me, and I was told it basically sends the request(s) back to where they came from. I presume it works fine as Error logs are much smaller since they stopped showing up. Any pro's / con's to this method are more than welcome.

    [/quote:65e8c87417]
    Solving these attacks this way (as you wrote) is [b:65e8c87417]illegal[/b:65e8c87417] Also not useful if they become as a DoS attack

    It is recommended to use what I wrote in my previous post in this thread:

    [/quote:65e8c87417]

    [quote:65e8c87417][i:65e8c87417]Originally posted by Website Rob[/i:65e8c87417]

    Not sure why you would say Illegal and by whose definition?

    Anyone has the right to block anyone they want (for no reason or explaination) from accessing their Server or any part thereof.[/quote:65e8c87417]
    [quote:65e8c87417][i:65e8c87417]Originally posted by thaphantom[/i:65e8c87417]

    I believe the problem lies in where you are redirecting them to. Usually these computer that are used for attacks are not their own, and by redirecting them to local host, it actually makes it look like you are running the vulnarability on them.[/quote:65e8c87417]

    [b:65e8c87417]Website Rob[/b:65e8c87417] & Anyone has the right to block anyone they want (for no reason or explaination) from accessing their Server or any part thereof

    [b:65e8c87417]ITF[/b:65e8c87417] & Anyone has the right to block another but what you have recommended is not blocking it is redirecting,

    “Kiddie” Attacks are not harmful to Linux and Apache until becoming a DDoS attack they usually haven’t all features of Distributed Denial of Service Attack (this is why better to say becoming as a DDoS)

    By redirecting a DDoS to another third party, you will become a master of another attack, DoS attackers (intruders) usually have to put Trojan horses in third parties’ systems and launch their Distributed attack to a single target and by redirecting those attacks to where they are coming from you are now a master of DoS attack, which is illegal. (This is why you have not to use what you recommended)

    [b:65e8c87417]But what should do against these Kiddie attacks:[/b:65e8c87417]
    There are two ways for protection: you can use each one or both together
    [b:65e8c87417]
    1. Using String Matching feature of iptables (patch):[/b:65e8c87417] by creating a chain rule for coming packets if they have that string which you defined, the connection will be dropped. However Kernel should inspect all incoming packets which causes high loads in system (cpu usage) the best practice for this feature is a [b:65e8c87417]Fronted Firewall[/b:65e8c87417] it means putting a firewall box in front of your current box/network, dedicated for firewall protection.
    [b:65e8c87417]
    2. Using Redirect Feature of Apache:[/b:65e8c87417] but not redirecting to where they are coming from, it is recommended to redirect them to a local script which grabs IP address of attacker and the other script which processes the results and blocks the sender by putting IPs in /etc/hosts.deny or setting up an ipchains/iptables deny rule
    However it is recommended to unblock those IPs after a couple of days, I'm sure you need visitors.

    [b:65e8c87417]Attention:[/b:65e8c87417] Never forget to exempt your server IPs and your local IPs (using for remote access) from above rules, otherwise a hacker can block your access to your server (by using above rules).

    Note: writing all of the nooks and crannies of this issue is beyond the size and time of a post, I'll publish a how-to.
     
  14. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    OK, good info, itf, and some valid points. However, I would like to remind that I stated I use the method I showed is what I use for sending Virus attacks back where they came from. It was only a suggestion of mine to adapt it for DDoS attacks, which I see now, may not be such a good idea.

    As for sending Virus attacks / attempts back to where they came from, I personally, do not have a problem with that. Odds are, the attack is using an open Port or Relay that a Server Admin may not know about. In that situation I would be:

    A) minimizing &my& time & effort against Virus attempts
    B) saying &no thanks& to the attack, thank you very much
    C) letting the Server Admin know they have some security holes within their system, that can be used for &who knows& what
    D) giving incentive to a Server Admin to close the security hole and/or install any required patches

    It may not be what everyone agrees with, but this I do know, the majority of Virus / Worms infecting Servers are spread from other Servers that have a security breach -- and is it not important, that a Server Admin be aware of &any& security breaches on their Servers(s)?

    By redirecting a Virus attack back to where it came, I do not see as being illegal. There may not yet be a precedent, but I can see where future litigation will involve people who had their Server infected from another Server.

    After all, a Virus / Worm / Trojan can be easily proven as a &hack& (whether successful or not) into a Server and we all know, &hacking& a Server without permission is against the law in most Countries; Canada and USA that I know of for sure.
     
  15. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:3f5ef10f87][i:3f5ef10f87]Originally posted by Website Rob[/i:3f5ef10f87]

    OK, good info, itf, and some valid points. However, I would like to remind that I stated I use the method I showed is what I use for sending Virus attacks back where they came from. It was only a suggestion of mine to adapt it for DDoS attacks, which I see now, may not be such a good idea.
    [/quote:3f5ef10f87]

    [b:3f5ef10f87]ITF[/b:3f5ef10f87] & F.Y.I. What I wrote in that post ( http://forums.cpanel.net/read.php?TID=5583&page=2#24310 ) is 100% valid, because they are all based on scientific and technological issues, not just an idea, they are real solutions for real problems.

    [quote:3f5ef10f87][i:3f5ef10f87]Originally posted by Website Rob[/i:3f5ef10f87]
    As for sending Virus attacks / attempts back to where they came from, I personally, do not have a problem with that. Odds are, the attack is using an open Port or Relay that a Server Admin may not know about. In that situation I would be:

    A) minimizing &my& time & effort against Virus attempts
    B) saying &no thanks& to the attack, thank you very much
    C) letting the Server Admin know they have some security holes within their system, that can be used for &who knows& what
    D) giving incentive to a Server Admin to close the security hole and/or install any required patches
    [/quote:3f5ef10f87]

    [b:3f5ef10f87]ITF[/b:3f5ef10f87] & the short way is not the best way, I think I wrote how to protect against such an attack (Kiddies Attack) in my last post ( http://forums.cpanel.net/read.php?TID=5583&page=2#24310 )
    However, I can't see any relation between these A, B ,C& D items and Kiddies Attacks.

    [quote:3f5ef10f87][i:3f5ef10f87]Originally posted by Website Rob[/i:3f5ef10f87]
    It may not be what everyone agrees with, but this I do know, the majority of Virus / Worms infecting Servers are spread from other Servers that have a security breach -- and is it not important, that a Server Admin be aware of &any& security breaches on their Servers(s)?
    [/quote:3f5ef10f87]
    [b:3f5ef10f87]ITF[/b:3f5ef10f87] & about 90% of computer users in the world are using insecure Operating Systems or using Operating Systems that have security weaknesses but this does not grant any right to any third party to attack them (legally)

    [quote:3f5ef10f87][i:3f5ef10f87]Originally posted by Website Rob[/i:3f5ef10f87]
    By redirecting a Virus attack back to where it came, I do not see as being illegal. There may not yet be a precedent, but I can see where future litigation will involve people who had their Server infected from another Server.
    [/quote:3f5ef10f87]
    [b:3f5ef10f87]ITF[/b:3f5ef10f87] & Distribution of Malicious codes, or becoming intermediate for this distribution also intruding to a thirds party for Denial of a service are all illegal (refer to your attorney)

    Law Enforcement Contacts for DDoS attacks:

    NIPC (National Infrastructure Protection Center)
    http://www.nipc.gov/

    You can find out how to report, if you are a victim at:
    http://www.cybercrime.gov/reporting.htm

    U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS)
    http://www.cybercrime.gov/

    [quote:3f5ef10f87][i:3f5ef10f87]Originally posted by Website Rob[/i:3f5ef10f87]
    After all, a Virus / Worm / Trojan can be easily proven as a &hack& (whether successful or not) into a Server and we all know, &hacking& a Server without permission is against the law in most Countries; Canada and USA that I know of for sure.
    [/quote:3f5ef10f87]

    [b:3f5ef10f87]ITF[/b:3f5ef10f87] & Unfortunately you are using security terms incorrectly i.e What this thread started on (what you can see in the first post of this thread) is called &Script Kiddies Attack& these are not Virus attacks and hasn't any feature of viruses.
    There are differences between Viruses, Worms, Trojan Horses, DoS and DDoS attacks, hackers and crackers...

    to find solutions against Kiddies attacks refer to this post (I wrote there) -click on the link-: http://forums.cpanel.net/read.php?TID=5583&page=2#24310

    to become more familiar with these terms there are so many commercial and non-commercial books and web sites.
    i.e. for DDos Attacks a good academic resource is University of Washington:
    http://staff.washington.edu/dittrich/misc/ddos/

    There are so many resources about definition of the terms that I cannot list them here due to the size a post.

    P.S. I don't want to harm anyone, sorry for any inconvenience but distribution of incorrect information on a public forum could cause putting someone in trouble, this is why I answered this post.
     
  16. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    [quote:d8f875d158]However, I would like to remind that I stated I use the method I showed is what I use for sending Virus attacks back where they came from. It was only a suggestion of mine to adapt it for DDoS attacks, which I see now, may not be such a good idea.[/quote:d8f875d158]
    There was no mis-interpretation of terms on my part and I wanted to re-iterate that my suggestion was used for a different situation. Although I &thought& it might apply to this situation, it does not appear so.

    Further discussion of the method I use/suggested should be carried on in another thread, to prevent anymore confusion. :)
     
  17. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:54ca32443a][i:54ca32443a]Originally posted by Website Rob[/i:54ca32443a]

    [quote:54ca32443a]However, I would like to remind that I stated I use the method I showed is what I use for sending Virus attacks back where they came from. It was only a suggestion of mine to adapt it for DDoS attacks, which I see now, may not be such a good idea.[/quote:54ca32443a]
    There was no mis-interpretation of terms on my part and I wanted to re-iterate that my suggestion was used for a different situation. Although I &thought& it might apply to this situation, it does not appear so.

    Further discussion of the method I use/suggested should be carried on in another thread, to prevent anymore confusion. :) [/quote:54ca32443a]
    You believe that redirecting back viruses by apache redirect feature to where they came is useful for some kinds of virus attacks, but it is wrong
    Let me show you why:

    [b:54ca32443a]Viruses[/b:54ca32443a] are a type of Malware (Malicious software ) with unique ability to replicate by attaching themselves to files and [b:54ca32443a]are spread as files[/b:54ca32443a].
    thus redirect feature of Apache which is applied to http requests cannot prevent from viruses.

    However some viruses launch another types of attacks but those attacks/intrusions are not called virus attacks.

    - also please consider that not all malicious programs or codes are viruses -
     
  18. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    I wrote additional instructions in another thread please refer to it too:

    click on the link,
    http://forums.cpanel.net/read.php?TID=5806&page=1#24963
     
  19. dariofg2

    dariofg2 Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    ITF, do you have that script still? I'm getting a lot of "MaxClients reached" warnings, despite the fact that it's already at 255. I'm suspecting it's a DoS attack. The links you have posted to your HOW-TO don't work any more.

    TIA
    -Dario

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page