I'm running a webpage on my server (Suse7.3) which at the same time I use as a firewall between my LAN and the internet (ipmasq).

My server has been slowing down a lot recently. I'd reboot, it would run fine and then get progressively slower when responding to http requests or a telnet login (takes 1min to get a telnet prompt). And my server logs (http and message logs) are getting huge.

My access_log has *tons* of entries like the following:
24.152.10.130 - - [11/Dec/2001:11:02:41 -0800] "GET /scripts/root.exe?/ ...

So does the error_log and they are from many different addresses but they are all 24.x.x.x...

I am thinking worms (in my unqualified opinion )...

What should I do?

Maybe just grab all the addresses and put them in some kind of hosts.deny file or something?

Help is very appreciated!

it's most likely a virus, code red or a variant

http://www.linuxquestions.org/questi...threadid=11817

Quite correct stating it's either a code-red like worm (or human scanning), but it doesn't explain your Linux box slowing down to a crawl.

! BTW, ditch telnet. It's *insecure*, please install and use ssh. If you're not convinced attach tcpdump to your eth interface and log in. That should show you login authentication and other telnet traffic is in *clear text format*, so sniffable.

If your Linux box is slowing down cuz some runaway process is leaking memory you could use something like Memprof (GPL I think). This loads a library and has a GUI, and you don't need to recompile any apps to use it. OTOH its quite specialistic in its setup (at least from my POV) and you need to have a hunch which is the offending app to check...

You could also do an hourly/quarterly cronjob have a shellscript like
"ps -eo %mem,pid,user,args --sort %mem > /tmp/ps-$(/bin/date +%d%m-%H:%S).log"
but this requires you to check the data which longrunning processes hog memory.

If your Linux box is slowing down cuz of something else, like network related, there's usually some performance tweaks (Im thinking net.core.rmem*), but I think if you don't want to serve anything in the 24.0.0.0/8 range (on tcp port 80), add that to your firewall (and /etc/hosts.deny) and see if that will help.

Thanks guys, I'll start using ssh from now on...

The thing is that my Linux box does not slow down but the times to connect to it (telnet etc) are sometimes very long. Once connected it's running at full speed though.

I'll add some addresses to my hosts.deny to hopefully cut down on those worm attacks...

Thanks!