Server's getting attacked, httpd doesn't stop! (restarts itself after a few seconds)

Seregwethrin · 05-23-2009, 09:43 PM

Hello;

Something is attacking my server from httpd, 80 port. CPU was not overloaded while attacked, but always 500kbyte - 1mbyte per second data sent from server for hours.

When I entered "service httpd stop" console says stopped but after 20-30 seconds it starts again.

I'm using Centos 5, I also removed it from "setup - services" console menu.

But started again. I rebooted server, started again...

I don't know what's happening. I've renamed /usr/sbin/httpd to httpd2 and now it is not starting, finally.

But how can it be possible?

And I want to restart server but what should I do before restarting to prevent attack?

x_terminat_or_3 · 05-23-2009, 11:37 PM

Hi

If you have Cpanel installed on your server, it will restart httpd whenever it crashes.

I suspect other control panels will do too.

As for the attack, you can ask the host of your server to protect you against DDOS attacks, or you could do it yourself if you know how to configure iptables.

Best regards

Seregwethrin · 05-24-2009, 12:52 AM

I'm using directadmin maybe it can do it recursively.

I'll find logs search for ip addresses and block them but isn't there an easy way?

x_terminat_or_3 · 05-24-2009, 12:57 AM

Yeah, the easy way is asking your ISP to protect you against DDOS attacks.

The hard way is writing firewall rules that only allows a certain amount of packets per minute from the same IP address.

Seregwethrin · 05-24-2009, 07:20 AM

Can anyone tell me what's going on ?

I've found a stealth.tgz file which is owned by apache:apache at /tmp/, (yes dir name is ,)

Which has those files

Code:

.,/
.,/go
.,/genuser
.,/contrib/
.,/contrib/config/
.,/contrib/config/servers/
.,/contrib/config/servers/UNDERNET
.,/contrib/config/servers/DALNET
.,/contrib/config/servers/EFNET
.,/contrib/config/config
.,/contrib/config/Input.pl
.,/contrib/patches/
.,/contrib/patches/emech-2.8.2-sha.diff
.,/contrib/cvsupdate
.,/configure
.,/sshd
.,/stealth
.,/cyc.help
.,/pico.tgz
.,/.cyc.set.swp
.,/.acc
.,/pico
.,/Makefile
.,/cyc.set
.,/src/
.,/src/debug.o
.,/src/combot.c
.,/src/xmech.c
.,/src/h.h
.,/src/usage.h
.,/src/mcmd.h
.,/src/commands.c
.,/src/combot.o
.,/src/channel.c
.,/src/Makefile.in
.,/src/cfgfile.c
.,/src/cfgfile.o
.,/src/socket.c
.,/src/debug.c
.,/src/dcc.o
.,/src/dcc.c
.,/src/structs.h
.,/src/xmech.o
.,/src/defines.h
.,/src/config.h
.,/src/gencmd.c
.,/src/function.c
.,/src/userlist.o
.,/src/parse.o
.,/src/com-ons.o
.,/src/main.c
.,/src/main.o
.,/src/commands.o
.,/src/socket.o
.,/src/link.o
.,/src/global.h
.,/src/config.h.in
.,/src/Makefile
.,/src/vars.o
.,/src/com-ons.c
.,/src/link.c
.,/src/vars.c
.,/src/mcmd.th
.,/src/channel.o
.,/src/userlist.c
.,/src/parse.c
.,/src/gencmd
.,/src/function.o
.,/randfiles/
.,/randfiles/randsignoff.e
.,/randfiles/randnicks.e
.,/randfiles/randversions.e
.,/randfiles/randsay.e
.,/randfiles/randaway.e
.,/randfiles/randinsult.e
.,/randfiles/randpickup.e
.,/randfiles/randkicks.e
.,/cyc.levels
.,/cyc.pid

and also those files at /tmp/... (dir name is ...)

Code:

<MYSERVER'S_IP2>.user   <MYSERVER'S_IP2>.user   LinkEvents  berliner.seen  echo.save      m.help  m.ses     pico        run          update       xh
<MYSERVER'S_IP>.user2  <MYSERVER'S_IP>.user2  autorun     bor.seen       inst           m.lev   m.set     privs.seen  start        vhosts       xyz.seen
<MYSERVER'S_IP>.user3  <MYSERVER'S_IP2>.user3  bash        cron.d         kathrine.seen  m.pid   mech.dir  r           tweety.seen  wombat.seen

All of them owned by apache:apache