Quote:
Originally Posted by trickykid
I'd just use iptables and block/drop the source altogether on all ports.
|
Thanks for replying (it's nice to know I've been noticed).
They were/are coming in through random proxies.
I was unable to get mod_security set up. The site recommends a yum repository but he works with custom packages and I want vanilla apache/mysql/php4/php5/WebMin so it did not work.
Mod_Evasive had done nothing. It even failed the supplied test.
However I took the following steps.
Opened PuTTY and restart session until I was in.
httpd -k restart
services mysqld restart
Open Browser went to phpMyAdmin.
For each Database (with a blog) Examined DatabaseName.Comments to look for bloated numbers.
When/If connection became unsuitable (every few)
httpd -k restart
services mysqld restart
Then continued.
I eventually identified to blogs being smacked about like B*tches by the spammer. One had comments disabled so I assume it had already been beaten up at some past point. 120,000 spam comments.
The second was "live" if under used.
httpd -k restart
services mysqld restart
Navigated to blog. Logged in as the super user (it was my wife's blog so no tricking about with the DB). This blog had captcha enabled and was still suffering spam!!
Comments-by-non-members = No
Then I ...
httpd -k restart
services mysqld restart
I gave it a while and watched the memory useage slip back down under 75% (of a gig!)
This was better but I was still enduring massive http damage.
So now I had to look at other methods to reduce the strain on the server. The blog in question was a NucleusCMS and it has a well maintained plug-in for Bad-Behaviour which with an extra edit to the config.php file kicks in very very early in the process.
Within 60 seconds BB had reject two connections to the script.
The server is no tolerable.
However there was 20,000 spam in the blog. So back to the phpMyAdmin and... (field names not the true names for ease of reading)
DELETE FROM `comment table name` WHERE `comment body` like "%http%" OR `comment link` not like "%.%" or `comment body` like "%casino%"
And I was down to 45 spams which I deleted manually. I should point out that the 'not like "%.%"' is very aggressive and demands all comments have a link (which is optional) a less aggressive version might add 'OR ... = ""' and brackets around the pair.
I did this for both blogs that had been hurt.
It's not perfect but it is coping. I feel that there might be other points being attacked so I could do with being able to trace them.