our network include a RH9 iptables firewall and RH9 web server.

several days ago, our webpage been hacked and change the default

webpage to a blank page which contain belowing

sentence"SegmentationFault -need a help?segfaultbr@hotmail.com."
After we replace the original homepage , we found that the firewall
server always show messages that it have lots of connection to

webserver's port 80 from different outside ip address. Moreover, our

webserver always appear message: "NET XXX messages suppressed".
it make our server very slow and can't provoid normal service again.
Does any one have been face similar situation before? Any methods
to avoid port 80 attack through iptables? Does the "Snort" can help

to avoid it again?
Thank you very much!!!

Try throttling your connections to port 80.

Look at shorewall.com and dos_evade for apache.

Is your box being hacked as in, code replaced, not the same anymore?
Or is there just a lot of traffic to your machine ?

If the first, don't trust your machine anymore, as it could be 'rootkit'ed, you'll have to reinstall.

if the latter, do as sgrayban suggested...

Also, is the port 80 to foreign IPs, outgoing ? or incoming?

thanks sgrayban and rhoekstra.

after we been hacked, we already install a new RH9 linux web server , and then copy web data from old server to new web server, then install trend server protect anti-virus software to ensure no virus on web server.

and we install trend server protect anti-virus software
on linux firewall too, and not found any virus.

The question at now is we must let firewall accept port 80 requirement from internet and then redirect it to web server's port80 for broswing webpage. But very large quantity of port 80 connection requirement appear if we enable port 80 on firewall. we can't find any method to solve it now.

i Look at shorewall.com and dos_evade for apache as
sgrayban said. but i can't find any result? Can you give us some suggestion more detail?

Thank you very much.

shorewall is used as a firewall is much easier to use. It has the ability to throttle connections to any port.

dos_evade module for apache is just as it name suggests. It can be setup to add IP's to iptables incase your getting ddosed.

If you read the docs you will see this. I really recommend you use shorewall.

Moved: This thread is more suitable in Security and has been moved accordingly to help your thread/question get the exposure it deserves.

works for me

If not moving to shorewall, why not upgrade to RedHat ES/AS (paid) or Fedora Core (free) ? RH9 has past its end of life.