Ddos?

D

dreamline

Verified User
Joined
Dec 3, 2005
Messages
108
Hi All,
Since last weekend i'm running apache 2.0.59, php 4.4.4 and my sql 4.1.25. Since that time i've been (D)DOS-ed and looking at my logs I can see apache is the cause for crashing. It crashed by a certain script that connects to an IRC chan. I even know the script name, however I think it may not be wise to discuss that here.. :) Incase somebody gets any ideas... :)

Anybody have problems like this? If so and you did solve it, how did you solve it? I think it's caused by an apache module (can't remember the name right now)....

Thanks for any help on solving my problem...
 
It would be great if you could show us some info of the logs you find suspicious, and show us what system OS/Hardware you're running.

That way we might be able to help you more. :D
 
Code: 
Resolving xxxxxxxxxx.com... 67.19.xx.xx
Connecting to elektroteh.com[67.19.xx.xx]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,984 [text/plain]

    0K .......... .......... .......... .........            100%   93.63 KB/s

13:06:41 (93.63 KB/s) - `xxx' saved [39984/39984
Finally about 50-200 lines with the following error:
[Fri Oct 13 13:55:49 2006] [error] (23)Too many open files in system: apr_accept: (client socket)

This is part of the log and I omitted some of the info, however the file saved is the script and it seems to be transferred from 67.19.xx.xx and when I open the script it says this in the first part (i did not include the full script):

Code: 
/*******************************************************************************
 *   This is a IRC based distributed denial of service client.  It connects to *
 * the server specified below and accepts commands via the channel specified.  *
 * The syntax is:                                                              *
 *       !<nick> <command>                                                     *
 * You send this message to the channel that is defined later in this code.    *
 * Where <nick> is the nickname of the client (which can include wildcards)    *
 * and the command is the command that should be sent.  For example, if you    *
 * want to tell all the clients with the nickname starting with N, to send you *
 * the help message, you type in the channel:                                  *
 *       !N* HELP                                                              *
 * That will send you a list of all the commands.  You can also specify an     *
 * astrick alone to make all client do a specific command:                     *
 *       !* SH uname -a                                                        *
 * There are a number of commands that can be sent to the client:              *
 *       TSUNAMI <target> <secs>       = A PUSH+ACK flooder                    *
 *       PAN <target> <port> <secs>    = A SYN flooder                         *
 *       UDP <target> <port> <secs>    = An UDP flooder                        *
 *       UNKNOWN <target> <secs>       = Another non-spoof udp flooder         *
 *       NICK <nick>                   = Changes the nick of the client        *
 *       SERVER <server>               = Changes servers                       *
 *       GETSPOOFS                     = Gets the current spoofing             *
 *       SPOOFS <subnet>               = Changes spoofing to a subnet          *
 *       DISABLE                       = Disables all packeting from this bot  *
 *       ENABLE                        = Enables all packeting from this bot   *
 *       KILL                          = Kills the knight                      *
 *       GET <http address> <save as>  = Downloads a file off the web          *
 *       VERSION                       = Requests version of knight            *
 *       KILLALL                       = Kills all current packeting           *
 *       HELP                          = Displays this                         *
 *       IRC <command>                 = Sends this command to the server      *
 *       SH <command>                  = Executes a command                    *
 * Remember, all these commands must be prefixed by a ! and the nickname that  *
 * you want the command to be sent to (can include wildcards). There are no    *
 * spaces in between the ! and the nickname, and there are no spaces before    *
 * the !                                                                       *
 *                                                                             *
 *                               - contem on efnet                             *
 *******************************************************************************/

That's how I figured i'm being (d)dossed.. I'm running a debian sarge OS btw...

Hopefully this will help to solve my problem.. :D
 
Last edited:
Think I nailed down the DDOS. It seems that my server supplier installed openssl 0.7.x and before a certain version there's 2 DDOS exploits out there.. So for all the people out there that still use versions lower than openssl 0.9.7l or 0.9.8d you better upgrade... :)

Today is the first day in a row of 3 days that my apache webserver hasn't crashed by this IRC exploit.. :D
 
I was to premature, so I left 2.0.59 and went back to 1.3.37 to see if the problem is solved. If so then it has to do with all the modules I lost after updating openssl and rebuilding apache_2... :(
 
Problem solved, I changed some file permissions and blocked the IP where the ddos was coming from, since then no more problems.. :)
 
A note to add that the latest CentOS update uses version 0.9.7a-43.4; this version includes all the backports for a secure openssl configuration.

Jeff
 
You must log in or register to reply here.
Back
Top