LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   CentOS Apache Server - identifying (virtual host) target of spam attack (http://www.linuxquestions.org/questions/linux-server-73/centos-apache-server-identifying-virtual-host-target-of-spam-attack-633396/)

Lord Matt 04-06-2008 05:48 AM

CentOS Apache Server - identifying (virtual host) target of spam attack
 
Hello,

I have a dedicated server that I pay for yearly and up untill now a gig of RAM and a single processor seemed to be plenty. Sadly some **** with an overactive botnet and a need to spam the crap out of everything he/she/it sees via http is keeping my server in a state of utter uselessness.

Other specs that might be important CentOS 5, webmin 1.4, Apache2.2, MySQL+PHP5+etc, 1G RAM, 80G HDD (x2 in RAID array) (12G used), 2.66 GHz CeleronD (755)... all-in-all just a basic entry level dedi.

I have a MySQL connection limit of 150 as at 100 the MySQL server was running out of connections. This indicates that there must be over 100 connection in any given few seconds (I'm guessing) which gives a spam rate of at least ? 25+ hits a second? (I'm utterly guessing) going on for 3 days.

Given that most domains the server hosts contain blogs (and little else) it is likely to be trackback spam or comment spam. It is http I know that much.

When I use netstat or iptstate it of course resolves the target IP as the URL/domain of the server rather than the URL/domain of the attack. It does show me that a lot of proxies are being used to assault my server though.

I tried mod_evasive but even though I am quite sure it is set up correctly I can not get it react to anything. I also tried (D)Dos Deflate with fairly aggressive settings and that has done little if anything.

Short of setting a cron to restart apache every fifteen minutes it really does look like I need to identify the target and deactivate it.

I'm not exactly any expert at this but up until now there has not been an issue with a computer that I have ever been beaten by. So this is a bit of blow to my ego but at this stage (day 3) I figure that I'm just going to have to accept that I have lost a domain for the time being and "pull it" to return some sanity to the system.

Any ideas?

trickykid 04-06-2008 09:10 PM

I'd just use iptables and block/drop the source altogether on all ports.

Lord Matt 04-07-2008 03:09 AM

Quote:

Originally Posted by trickykid (Post 3113015)
I'd just use iptables and block/drop the source altogether on all ports.

Thanks for replying (it's nice to know I've been noticed).

They were/are coming in through random proxies.

I was unable to get mod_security set up. The site recommends a yum repository but he works with custom packages and I want vanilla apache/mysql/php4/php5/WebMin so it did not work.

Mod_Evasive had done nothing. It even failed the supplied test.


However I took the following steps.

Opened PuTTY and restart session until I was in.

httpd -k restart
services mysqld restart

Open Browser went to phpMyAdmin.
For each Database (with a blog) Examined DatabaseName.Comments to look for bloated numbers.

When/If connection became unsuitable (every few)

httpd -k restart
services mysqld restart

Then continued.

I eventually identified to blogs being smacked about like B*tches by the spammer. One had comments disabled so I assume it had already been beaten up at some past point. 120,000 spam comments.

The second was "live" if under used.

httpd -k restart
services mysqld restart

Navigated to blog. Logged in as the super user (it was my wife's blog so no tricking about with the DB). This blog had captcha enabled and was still suffering spam!!

Comments-by-non-members = No

Then I ...

httpd -k restart
services mysqld restart

I gave it a while and watched the memory useage slip back down under 75% (of a gig!)

This was better but I was still enduring massive http damage.

So now I had to look at other methods to reduce the strain on the server. The blog in question was a NucleusCMS and it has a well maintained plug-in for Bad-Behaviour which with an extra edit to the config.php file kicks in very very early in the process.

Within 60 seconds BB had reject two connections to the script.

The server is no tolerable.

However there was 20,000 spam in the blog. So back to the phpMyAdmin and... (field names not the true names for ease of reading)

DELETE FROM `comment table name` WHERE `comment body` like "%http%" OR `comment link` not like "%.%" or `comment body` like "%casino%"

And I was down to 45 spams which I deleted manually. I should point out that the 'not like "%.%"' is very aggressive and demands all comments have a link (which is optional) a less aggressive version might add 'OR ... = ""' and brackets around the pair.

I did this for both blogs that had been hurt.

It's not perfect but it is coping. I feel that there might be other points being attacked so I could do with being able to trace them.

Lord Matt 04-07-2008 03:17 AM

I should point out that the reason for keeping restart is that while trying to "sign in" via ssh the system will abandon you if it is in dire need of the resources but once you are in as root (su or otherwise) it grants you far more priority and gives you the space to dish a few commands so long as you are not too idle or it does not get fully overwhelmed.

Additionally I tried to follow this thread but my server does not appear to support the same things http://www.linuxquestions.org/questi...output-521012/


All times are GMT -5. The time now is 07:51 AM.