|
I think im being spammed
Okay folks I have been trying to search and test several things to stop this spam. My log files are getting file dosent exists to random stuff as if it was referer spam. I'll just lay this out of what is happening and what I have done.
BOX:Mandrake 9.2. Apache 2.0 PHP MYSQL I am running a website that hase a good amount of traffic. Random times the servers harddrive it hauling booty. resource are nothing. First I have block all ports. to make sure t wasnt a incoming thing. dosent stop. unplug the net card. after a couple minutes the server catches up and is okay. plug it back in, after about 5 mins its all lagged out again. it seems like its requesting it ??.. Im not that good at linux yet so could I please get some help. Most of the day its fine. I just suddenly goes nuts. Im running phpnuke and phpbb forums. Im n ot using the phpbb forums on php nuke. I have disabled them sinceI already had them running. Doesit have spyware maybe on the box and of so some links to help this. Also when its going nuts I can after an hour of clicking and waiting I can shut down the httpd service and it stops. It related some how to that and out going traffic I think... |
To me its not very clear what is your problem. There are a lot of persons here that will help you if you explain clearly your problem.
* Being Spammed? Means you receive a lot of junk emails. this seems to not be the case? * Being Networked Dosed? Means somebody is overflowing your bandwidth. You should see something on your firewall, do as usual: reject everything but also *log everything*. Pay also attention to your HW router (is it rejecting packets) Are netcards/HW router constantly blinking? If you log everything, watch out for disk usage as you may by yourself crash your machine. * Being Locally Dosed? Somebody has put a malicious file which is causing havoc (like somebody installed a tool on your machine to network-DoS others=>Outbound traffic very high). In this case, the network seems perfect but not the cpu usage. What are you having exactly? |
Please describe your network for us. It will be hard to diagnose your problems without having some kind of knowledge of your network. Are you behind a router? Are you behind a firewall? Can you monitor the connections to your server form the router? So on and so on.... Any info would be helpful! Get that info together and repost!
|
Quote:
its behind a router. it cant not be seen from the router. its firewalled of course at the router. It is used up on the CPU side. Bandwidth is fine. Original it wasnt till I took out the default installed of the apache proxie stuff. My net work has 4 pc on it. Linux, 2 windows pro clients and a windows 2003 server with exchange on it. If I block the firewall and do not allow any incoming traffic the pc still lags out on the cpu side. So must be a DoS it seems if this is the case do you have an idea where I can get this removed... Im very good with windows systesm only about 2 years into linux but not a hard core user yet. |
The apps you mention have had many security flaws and have been subject to injection attacks. I get many attempts every day. The common trick is to pentrate the server and install irc software. I suggest that you disconnect the server from the net and start investigating. Do top from the command line and it will tell you which app is using up the cpu. You need to carefully examine your log files - /var/log/syslog auth apache and determine exactly what's happening.
|
Okay, here goes. I am making some assumptions though, namely:
1) You have your PC's and the web server all on the same private lan 2) You are port forwarding from your public web server ip to the private lan ip of the web server (only port 80 or whatever you use) 3) You only have one connection form your private lan to the router with the public/internet on the other side Here is how I would proceed: At a low traffic time I would disconnect your private lan from the router. That would isolate the traffic to just your local lan. If your server calms down, then the traffic is probably coming from the outside. If it doesn't, isolate each one of the pc's by unplugging it from the network until you can distingish where the traffic is coming from. If , however, your server calms down after you unplug from the router, then the traffic is coming from the outside and I would investigate your firewall rules. You need to be dropping everything that isn't required for your sites and make sure and shut down all services/ports on the web server that you don't have to have. I can tell you from experience, that "they" are scanning everything you have and if an open port is found they will try and get in to it. The most important thing that you can do if the traffic is coming from the outside is to make sure that your firewall contains a chain rule that prevents a high rate of access (otherwise known as dosing/DOS/Denial of Service). Otherwise, they will continue to plague you. Take a look at these things and repost. |
Quote:
I'll check those logs out although Im not that great with linux commands atm but this does stop once its disconnected from the internet. im working on what scoot suggested now and will report back |
So far I did read the logs. Saw tons of SSH login attempts for random pass and user names shut the service down and so far no problems. I went monitor some more and see what happens.
|
| All times are GMT -5. The time now is 05:15 PM. |