Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-08-2006, 11:39 PM
|
#1
|
Member
Registered: Apr 2005
Posts: 252
Rep:
|
I think im being spammed
Okay folks I have been trying to search and test several things to stop this spam. My log files are getting file dosent exists to random stuff as if it was referer spam. I'll just lay this out of what is happening and what I have done.
BOX:Mandrake 9.2.
Apache 2.0
PHP
MYSQL
I am running a website that hase a good amount of traffic. Random times the servers harddrive it hauling booty. resource are nothing. First I have block all ports. to make sure t wasnt a incoming thing. dosent stop. unplug the net card. after a couple minutes the server catches up and is okay. plug it back in, after about 5 mins its all lagged out again. it seems like its requesting it ??.. Im not that good at linux yet so could I please get some help. Most of the day its fine. I just suddenly goes nuts. Im running phpnuke and phpbb forums. Im n ot using the phpbb forums on php nuke. I have disabled them sinceI already had them running. Doesit have spyware maybe on the box and of so some links to help this. Also when its going nuts I can after an hour of clicking and waiting I can shut down the httpd service and it stops. It related some how to that and out going traffic I think...
|
|
|
03-09-2006, 05:19 AM
|
#2
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
To me its not very clear what is your problem. There are a lot of persons here that will help you if you explain clearly your problem.
* Being Spammed? Means you receive a lot of junk emails. this seems to not be the case?
* Being Networked Dosed? Means somebody is overflowing your bandwidth. You should see something on your firewall, do as usual: reject everything but also *log everything*. Pay also attention to your HW router (is it rejecting packets) Are netcards/HW router constantly blinking? If you log everything, watch out for disk usage as you may by yourself crash your machine.
* Being Locally Dosed? Somebody has put a malicious file which is causing havoc (like somebody installed a tool on your machine to network-DoS others=>Outbound traffic very high). In this case, the network seems perfect but not the cpu usage.
What are you having exactly?
Last edited by nx5000; 03-09-2006 at 05:20 AM.
|
|
|
03-09-2006, 09:17 AM
|
#3
|
Member
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
|
Please describe your network for us. It will be hard to diagnose your problems without having some kind of knowledge of your network. Are you behind a router? Are you behind a firewall? Can you monitor the connections to your server form the router? So on and so on.... Any info would be helpful! Get that info together and repost!
|
|
|
03-09-2006, 03:43 PM
|
#4
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by ScooterB
Please describe your network for us. It will be hard to diagnose your problems without having some kind of knowledge of your network. Are you behind a router? Are you behind a firewall? Can you monitor the connections to your server form the router? So on and so on.... Any info would be helpful! Get that info together and repost!
|
sorry folks let me make it more clear and thank you for letting me know what you need to help rather than ignore me
its behind a router. it cant not be seen from the router. its firewalled of course at the router. It is used up on the CPU side. Bandwidth is fine. Original it wasnt till I took out the default installed of the apache proxie stuff. My net work has 4 pc on it. Linux, 2 windows pro clients and a windows 2003 server with exchange on it. If I block the firewall and do not allow any incoming traffic the pc still lags out on the cpu side. So must be a DoS it seems if this is the case do you have an idea where I can get this removed... Im very good with windows systesm only about 2 years into linux but not a hard core user yet.
|
|
|
03-09-2006, 04:13 PM
|
#5
|
Senior Member
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380
Rep:
|
The apps you mention have had many security flaws and have been subject to injection attacks. I get many attempts every day. The common trick is to pentrate the server and install irc software. I suggest that you disconnect the server from the net and start investigating. Do top from the command line and it will tell you which app is using up the cpu. You need to carefully examine your log files - /var/log/syslog auth apache and determine exactly what's happening.
|
|
|
03-09-2006, 04:13 PM
|
#6
|
Member
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
|
Okay, here goes. I am making some assumptions though, namely:
1) You have your PC's and the web server all on the same private lan
2) You are port forwarding from your public web server ip to the private lan ip of the web server (only port 80 or whatever you use)
3) You only have one connection form your private lan to the router with the public/internet on the other side
Here is how I would proceed:
At a low traffic time I would disconnect your private lan from the router. That would isolate the traffic to just your local lan. If your server calms down, then the traffic is probably coming from the outside. If it doesn't, isolate each one of the pc's by unplugging it from the network until you can distingish where the traffic is coming from. If , however, your server calms down after you unplug from the router, then the traffic is coming from the outside and I would investigate your firewall rules. You need to be dropping everything that isn't required for your sites and make sure and shut down all services/ports on the web server that you don't have to have. I can tell you from experience, that "they" are scanning everything you have and if an open port is found they will try and get in to it.
The most important thing that you can do if the traffic is coming from the outside is to make sure that your firewall contains a chain rule that prevents a high rate of access (otherwise known as dosing/DOS/Denial of Service). Otherwise, they will continue to plague you.
Take a look at these things and repost.
|
|
|
03-09-2006, 10:29 PM
|
#7
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by TigerOC
The apps you mention have had many security flaws and have been subject to injection attacks. I get many attempts every day. The common trick is to pentrate the server and install irc software. I suggest that you disconnect the server from the net and start investigating. Do top from the command line and it will tell you which app is using up the cpu. You need to carefully examine your log files - /var/log/syslog auth apache and determine exactly what's happening.
|
I'll check those logs out although Im not that great with linux commands atm but this does stop once its disconnected from the internet. im working on what scoot suggested now and will report back
|
|
|
03-10-2006, 10:21 PM
|
#8
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
So far I did read the logs. Saw tons of SSH login attempts for random pass and user names shut the service down and so far no problems. I went monitor some more and see what happens.
|
|
|
All times are GMT -5. The time now is 02:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|