LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-06-2008, 04:48 AM   #1
Lord Matt
LQ Newbie
 
Registered: Apr 2008
Posts: 7

Rep: Reputation: 0
Question CentOS Apache Server - identifying (virtual host) target of spam attack


Hello,

I have a dedicated server that I pay for yearly and up untill now a gig of RAM and a single processor seemed to be plenty. Sadly some **** with an overactive botnet and a need to spam the crap out of everything he/she/it sees via http is keeping my server in a state of utter uselessness.

Other specs that might be important CentOS 5, webmin 1.4, Apache2.2, MySQL+PHP5+etc, 1G RAM, 80G HDD (x2 in RAID array) (12G used), 2.66 GHz CeleronD (755)... all-in-all just a basic entry level dedi.

I have a MySQL connection limit of 150 as at 100 the MySQL server was running out of connections. This indicates that there must be over 100 connection in any given few seconds (I'm guessing) which gives a spam rate of at least ? 25+ hits a second? (I'm utterly guessing) going on for 3 days.

Given that most domains the server hosts contain blogs (and little else) it is likely to be trackback spam or comment spam. It is http I know that much.

When I use netstat or iptstate it of course resolves the target IP as the URL/domain of the server rather than the URL/domain of the attack. It does show me that a lot of proxies are being used to assault my server though.

I tried mod_evasive but even though I am quite sure it is set up correctly I can not get it react to anything. I also tried (D)Dos Deflate with fairly aggressive settings and that has done little if anything.

Short of setting a cron to restart apache every fifteen minutes it really does look like I need to identify the target and deactivate it.

I'm not exactly any expert at this but up until now there has not been an issue with a computer that I have ever been beaten by. So this is a bit of blow to my ego but at this stage (day 3) I figure that I'm just going to have to accept that I have lost a domain for the time being and "pull it" to return some sanity to the system.

Any ideas?
 
Old 04-06-2008, 08:10 PM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
I'd just use iptables and block/drop the source altogether on all ports.
 
Old 04-07-2008, 02:09 AM   #3
Lord Matt
LQ Newbie
 
Registered: Apr 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by trickykid View Post
I'd just use iptables and block/drop the source altogether on all ports.
Thanks for replying (it's nice to know I've been noticed).

They were/are coming in through random proxies.

I was unable to get mod_security set up. The site recommends a yum repository but he works with custom packages and I want vanilla apache/mysql/php4/php5/WebMin so it did not work.

Mod_Evasive had done nothing. It even failed the supplied test.


However I took the following steps.

Opened PuTTY and restart session until I was in.

httpd -k restart
services mysqld restart

Open Browser went to phpMyAdmin.
For each Database (with a blog) Examined DatabaseName.Comments to look for bloated numbers.

When/If connection became unsuitable (every few)

httpd -k restart
services mysqld restart

Then continued.

I eventually identified to blogs being smacked about like B*tches by the spammer. One had comments disabled so I assume it had already been beaten up at some past point. 120,000 spam comments.

The second was "live" if under used.

httpd -k restart
services mysqld restart

Navigated to blog. Logged in as the super user (it was my wife's blog so no tricking about with the DB). This blog had captcha enabled and was still suffering spam!!

Comments-by-non-members = No

Then I ...

httpd -k restart
services mysqld restart

I gave it a while and watched the memory useage slip back down under 75% (of a gig!)

This was better but I was still enduring massive http damage.

So now I had to look at other methods to reduce the strain on the server. The blog in question was a NucleusCMS and it has a well maintained plug-in for Bad-Behaviour which with an extra edit to the config.php file kicks in very very early in the process.

Within 60 seconds BB had reject two connections to the script.

The server is no tolerable.

However there was 20,000 spam in the blog. So back to the phpMyAdmin and... (field names not the true names for ease of reading)

DELETE FROM `comment table name` WHERE `comment body` like "%http%" OR `comment link` not like "%.%" or `comment body` like "%casino%"

And I was down to 45 spams which I deleted manually. I should point out that the 'not like "%.%"' is very aggressive and demands all comments have a link (which is optional) a less aggressive version might add 'OR ... = ""' and brackets around the pair.

I did this for both blogs that had been hurt.

It's not perfect but it is coping. I feel that there might be other points being attacked so I could do with being able to trace them.

Last edited by Lord Matt; 04-07-2008 at 02:38 AM. Reason: Minor edit for good form
 
Old 04-07-2008, 02:17 AM   #4
Lord Matt
LQ Newbie
 
Registered: Apr 2008
Posts: 7

Original Poster
Rep: Reputation: 0
I should point out that the reason for keeping restart is that while trying to "sign in" via ssh the system will abandon you if it is in dire need of the resources but once you are in as root (su or otherwise) it grants you far more priority and gives you the space to dish a few commands so long as you are not too idle or it does not get fully overwhelmed.

Additionally I tried to follow this thread but my server does not appear to support the same things http://www.linuxquestions.org/questi...output-521012/

Last edited by Lord Matt; 04-07-2008 at 02:28 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't get Ubuntu Server Apache from Brower in Virtual PC 2007 Host RavenLX Ubuntu 7 04-14-2008 04:57 PM
Rqst'ing help identifying type of attack digimon Linux - Security 1 09-19-2006 09:24 PM
About Virtual Host of Apache Server tommyliu Linux - General 5 06-17-2004 10:49 AM
apache virtual host navinc Linux - Software 10 05-22-2003 12:16 PM
apache virtual host mimi Linux - General 1 04-06-2002 05:11 AM


All times are GMT -5. The time now is 04:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration