This guy is running botnet on me....
Posted by Shazz, 08-28-2008, 01:56 AM I have tried everything, hosts that say there secure and can take care of me don't seem to do the trick. This guy runs thousands of IP's on me everyday and when it gets banned it automatically renews. I even changed my forum directory and its still attacking an hour later. How do you survive a botnet?
Posted by Xous, 08-28-2008, 03:18 AM Hi, Basically you have to have more bandwidth than the attackers combined bandwidth plus the bandwidth you need for your customers. You also need to have enough CPU and memory to cover the processing of the extra hits and setup some method of automatically blocking the attackers to reduce the amount of system resources the attack uses up. You might want to think about switching to multiple hosts (which is difficult because you have a forum database) and/or hosts that provide DDoS mitigation services.
Posted by Frontpage1, 08-28-2008, 11:55 AM Have you identified what user agent the botnet attacks are using?
Posted by Shazz, 08-28-2008, 03:40 PM Frontpage1, No. Not sure how to find out. -- Xous what procedure should I take?
Posted by Ramprage, 08-28-2008, 03:45 PM Review some of the logs, they can tell you a lot.
Posted by Shazz, 08-28-2008, 04:46 PM Yes Its all legit traffic but there bots!! Looks like everyone is clueless on this forum
Posted by Jonathan Kinney, 08-28-2008, 05:43 PM We would need more information in order to help you address the issue. It could be your forum software, if it does not have enough security to prevent the undesirables from getting in and posting adds, then many bots will find their way to the forum, and many more will come until it is secured. But then again this is just a guess, I do not know the situation, or what the bots are doing. If you could give us a clue as to what their interest and purpose in your forum is, then we may be able to present more ideas in return.
Posted by CretaForce, 08-28-2008, 06:12 PM Can you copy-paste few lines of the logs?
Posted by Srv24x7, 08-29-2008, 12:48 AM Install Mod_sec on Apache with DDOS deflate script
Posted by Shazz, 08-29-2008, 06:32 PM That was installed on my first host, didn't do a thing. -- Im not sure how logs would do anything...
Posted by Bofu2U, 08-29-2008, 06:37 PM I'm going to bet that you dont mean botnet, and you're referring to scripts signing up for accounts and spamming posts...
Posted by Jonathan Kinney, 08-29-2008, 07:06 PM He really is not giving enough information for us to tell, but I did do a search for his other posts to see if he had posted about problems like this some other place on the forum. From reading his other posts, I could deduct that he may be a victim of a DDOS attack. It is a little sad that I have to deduct that. I will not post any more on this thread until more information is actually presented. I would love to help, but that requires information, deduction and guessing only goes so far.
Posted by Shazz, 08-29-2008, 10:07 PM Umm no. -- I would try to post more info if I knew more about botnet.
Posted by TheITAdvisory, 08-29-2008, 10:28 PM Alright, do you have root ssh access to the server? Do you use WHM/Cpanel? Perhaps, you can grab us some of the information from the apache server-status directive in WHM. You can also issue a slue of netstat commands with many different switches and linux/unix scripting to negate what the IP's are doing. I guess what it really boils down to, is this.. 1. What operating system are you using? 2. What web server software are you using? 3. What types of control panels/managers do you use? 4. Do you have root or admin access to this server via ssh, or remote desktop? If you can post answers to some of these questions, we can better provide a solution for you.
Posted by Shazz, 08-30-2008, 01:08 AM Wow theres no way to answer all those questions ive switched from so many web hosts that have all different types of stuff like litespeed instead of apache, every firewall you can list and find on google or whatever. Its not possible to stop There for Im done, Thank you for reading and your time.
Posted by TheITAdvisory, 08-31-2008, 01:13 PM lol, okay.
Posted by Shazz, 08-31-2008, 02:04 PM The attacker I think is running this script http://h1.ripway.com/vnc2008/idr0x.txt But that file isen't in my FTP files, so how is he executing this to get all of the server info on any host Im on?
Posted by TowerOfPower, 08-31-2008, 02:08 PM Log all the IPs for 24 hours, then ban them all.
Posted by DNGeeks, 08-31-2008, 02:25 PM Since you are clueless about this whole issue I would suggest you hire someone to first determine what is happening. Then they can give you an assessment of what you need to do.
Posted by Shazz, 08-31-2008, 05:08 PM They automatically renew Heres a quote: Well basically if any hosts ask just tell them it is an HTTP GET flood ranging from around 250-500 requests per second, and if I remember correctly it was around 100KB incoming traffic per second and around 200KB outgoing per second
Posted by CretaForce, 08-31-2008, 05:46 PM Do all the bots use the same agent? Can you post 4-5 lines of the logs?
Posted by dotRoot, 08-31-2008, 06:46 PM Sounds like you are using a forum software, such as phpBB2 with a lot of exploits via attachments. Basically, in some of those exploits you can upload the file through the forum and is then executed from there, and because Apache owns the process it essentially has all of the power of Apache. Your "scripts" are most likely in your /tmp folder under one of the many PHP sessions there. Proper hardening would help, however, the best solution would most likely be to use different forum software. Which forum is it?
Posted by Shazz, 08-31-2008, 07:40 PM The LATEST vBulletin When I get it on a host again which will only last for a hour. That is comming real soon...
Posted by dotRoot, 08-31-2008, 08:27 PM Did you check your /tmp folder for those scripts? Because it doesn't just have to be forum software. And the exploit could still be in the latest vBulletin.
Posted by Shazz, 08-31-2008, 10:08 PM Yes, nothing is there. It couldn't be a exploit in vBulletin its too simple of a script. He would need to do more
Posted by TheSimpleHost-Nathan, 08-31-2008, 10:43 PM I'm sorry, but having read this thread and watching you asking for advice without proving answers to questions, how do you expect anyone to help you? You've made it clear you don't have a clue how to sort this out, so how do you know it's "too simple of a script"? Once you get PHP access you pretty much do anything to a server. If you dont know what OS you're running, if you have root access and the other questions that TheITAdvisory asked, then you should DEFINATLY hire a tech to secure your system. //-- rant
Posted by beingdefined, 08-31-2008, 10:55 PM what ^ he said
Posted by dotRoot, 09-01-2008, 01:13 AM Nothing is too simple. There's a lot of different things that come into play. I figured, by everything that you've posted, that you think someone has "hacked" your system to run your server as a bot on their botnet. To do so, someone must access your server in some way. Generally, to try to gain easy access to do so is done via some exploitation of some script that's open to the public. Usually, the payload is dumped into /tmp, or whatever temporary folder that your interpretor is set up to use, and I suspect its probably PHP, in which you'd need to see if it actually uses /tmp or some other place in its configuration. If someone is infact putting some sort of script or virus onto your server, that you don't use to do anything but serve pages, then how else do you expect the virus/script got there? Obviously it would be through Apache or some other public internet service that you are running. I did a lot of assuming the best I could from what little you've said. At this point you probably should hire someone to harden your server for you. Most of us aren't going to keep guessing and hardening is generally pretty cheap if you don't do it yourself anyway. Good luck.
Posted by fubarza, 09-01-2008, 03:23 AM Some things you can do; - check for new accounts on your system eg: [root@serv0 ~]# grep :5[0-9][0-9]:5[0-9][0-9]: /etc/passwd michael:x:500:500::/home/michael:/bin/bash info:x:501:501::/home/info:/sbin/nologin sales:x:502:502::/home/sales:/sbin/nologin support:x:503:503::/home/support:/sbin/nologin julian:x:504:504::/home/julian:/sbin/nologin Those are non system accounts on my system. - check who last accessed your system eg: last -20 This will show you the last 20 logins to your box. - search for successful SSH logins eg: grep -i "accepted password for" /var/log/secure - check for arb services eg: ps aux
Posted by webuser00, 09-01-2008, 03:38 AM I agree... don't try to speak down to people who try to help you. They are asking you questions which IF you answer, could lead to a solution.
Posted by Frontpage1, 09-01-2008, 08:38 AM No. We are not clueless. You need to provide more information. How can it be 'legit traffic but their bots'. That doesnt make any sense. If they are bots, most likely they will have a common useragent. Once you know the useragent you can temporarily filter them. But, we cant help you if you don't provide any data from your logs.
Posted by Shazz, 09-01-2008, 11:49 AM Ive switched hosts so many times... Ive got off apache and went to litespped theres alot of stuff you have said in there that dosen't even relate to me.
Posted by TheITAdvisory, 09-01-2008, 12:25 PM Please just hire a server security / management company.
Posted by Xous, 09-01-2008, 12:26 PM Hi Shazz, You are simply not providing enough information for anyone here to make more than an educated guess at a solution to your problem. Some information we need is the number requests per second, average bandwidth usage, peak bandwidth usage, throughput, and system usage statistics (top). I would suggest that you hire an experienced system administrator to take a look at your server and suggest a solution to your problem.
Posted by Frontpage1, 09-01-2008, 01:35 PM Since you refuse to provide any meaningful information about the nature of your problem despite multiple requests over 3 days by folks here to help you, I can only surmise you are a troll. Please refer to the sticky entitled "How-to: Request Help From the Experts here" for future requests. Last edited by Frontpage1; 09-01-2008 at 01:39 PM.
Posted by Sheps, 09-01-2008, 02:36 PM I need to edit that. More information in there would be useful. But since I no longer moderate, well... It is sort of neglected. That said, even the information in there would help us.
Posted by Shazz, 09-01-2008, 03:24 PM Heres a quote: Well basically if any hosts ask just tell them it is an HTTP GET flood ranging from around 250-500 requests per second, and if I remember correctly it was around 100KB incoming traffic per second and around 200KB outgoing per second If I had any more info I would solve it my self. Ive hired 3 people from here and there all clueless about this problem I even forwarded my domain to there DNS settings. (WHICH should give enough info)
Posted by Sheps, 09-01-2008, 03:44 PM Honestly, the first thing we are going to need is to get a peice of the logfile to take a look. Could you upload some of your httpd log to something like pastebin?
Posted by WII-Aaron, 09-01-2008, 03:54 PM Shazz, Try to answer the questions posted int he thread to the best of your ability. The more info you can supply the more likely someone here will be able to help you out. You may also consider hiring a system admin to manage your forum for you.
Posted by Luxore, 09-01-2008, 04:28 PM If you are as impolite to your hosts as you are to the people here who are trying to help you then i'm not suprised that you only last an hour on a new host Do you have copies of your log files from before and since this started happening? What is your budget for dealing with this problem? If you have a decent amount of money then you want to get set up with a dedicated server on a high bandwidth host and an admin who can write some scripts to dynamically build iptables/ipsets for you. If you have no budget then just leave the site down for a few days so that the idiot attacker can think he won and move on to bothering someone else. If you have only a small budget then you should work on being nicer to people who are trying to help you. The simple fact is that you have to be able to tell good traffic from bad traffic if you want to keep one and block the other. All the people asking you about your log files are asking because they hope to see something that will help idenfify bad traffic so it can be blocked. The qustions about your os and control panel are so that we will know what tools are available to you. As always, the most important tool is the human mind. Without a working mind you are pretty much out of luck.
Posted by Shazz, 09-01-2008, 08:09 PM I have answered every question, and the rest are repeats. Ive hired 3 people from this forum as I have ALREADY stated and its failed.
Posted by k3oni, 09-02-2008, 10:56 AM If the guy attacking you is indeed using a botnet to do this it may be possible he is using same bots on all servers and it may be possible to identify a matching TTL in the logs and also a matching length of packets on the IPs attacking. This may help you drop his attack at least for a bit if he does not change anything in the meantime using iptables, like a start. But for all this you will need at least a general knowledge about iptables and networking. Don't think that everything is being done using scripts or by script kidiezz as it is not and a high intensity DDoS attack can be thrown at you without even a compromised script on your server. CN:/ Need iptables and tcpdump to be able to try and identify TTL of the attacking IPs connections - may be able to drop some of the attack./
Posted by brianoz, 09-04-2008, 06:17 AM While you've carefully answered every question, you've also carefully avoided providing the detailed answers we need to help. Every DDOS is different, and the answer's in details. Logfiles, traffic dumps, actually knowing the domain in question. I'm with the earlier poster who thought you were a troll; I've never seen anyone avoid giving details so successfully for so long!
Posted by Shazz, 09-04-2008, 02:43 PM I don't own the server, I have moved off of so many hosts, I don't have log files and such... If you tell me how Ill give everything domain: vBCoderz.com
Posted by j2m2, 09-04-2008, 03:00 PM i think the problem is you should up your budget and get a dedicated server if you don't own the server. Then all your problems will be solved because it looks like your host is not doing anything to help you. do the following SHELL into your server and grab the /etc LOG files and paste them here. If you do not do that we can't help you at all and it looks like you're attracting some wrong people from your site (i am guessing warez-linking sites who always get attacked anyways)
Posted by Shazz, 09-05-2008, 01:18 AM No this is not warez. Im not sure what you mean by SHELL into my server when I don't have a server Ive been on every type of hosting you can think of, many host owners stuck there neck out for me. Nothing of that sort is stopping this
Posted by webuser00, 09-05-2008, 01:21 AM Lol, you don't need to own the server to have a shell account. Ask them to give you a shell account for your hosting. How much do you pay a month for your hosting?
Posted by k3oni, 09-05-2008, 08:32 AM As someone else sugested you may want to look into getting your own server as if you get attacked like this and you still look for a shared host i am unsure which one of them out there will like to put his server in front of an attack for $10 a month and more to it you do not have direct access to the server so that you can try at least to stop this attacks. Sorry but you do not have to many options when it comes to attacks and shared hosting.
Posted by TheITAdvisory, 09-05-2008, 05:43 PM I can't believe this thread is still going on -- LOL! MOD's any ideas here? lol.
Posted by Shazz, 09-05-2008, 07:22 PM I don't have a host right now, Im still trying to find a solution Shared hosting dosen't matter, VPS or dedicated are all the same. Ive been on all of them on many different hosts.
Posted by jseymour, 09-06-2008, 05:43 PM Can you please paste a few lines of your apache (or whatever web server you are using) access logs. It would be helpful to know what is being dealt with. Thanks. I assume this is a dedicated server. Correct?
Posted by Shazz, 09-06-2008, 05:50 PM I was on a dedicated server, Im now on NO host, I have no logs. Im willing to pay someone for this issue just contact me AIM: shazzdesigns Yahoo: shazzdesigns MSN: Shazz_33@hotmail.com Email: shinckley@gmail.com -- Phone nubmer can be sent via pm
Posted by Coolraul, 09-06-2008, 06:48 PM Shazz, You are not giving any useful information. Clearly you think everyone else here is stupid yet you have not answered the questions people could use to help you. Since you are so sure that their questions are useless, I assume you know the answer youself? This isn't a straight forward answer. It depends on many things and those things can be determined by the answers and information that you refuse to give. If you are unwilling or unable to answer them. I don't think anyone can help you.
Posted by brianoz, 09-07-2008, 08:59 AM Should be possible to host it on a shared/spare host for a few hours and see if the attack eventuates.
Posted by Shazz, 09-08-2008, 01:12 AM Raw Access Logs from cPanel http://www.filefactory.com/dlf/f/daa...om_9_7_2008_gz I uploaded it there since this site won't allow a 2mb zip. Also update: They just broke theplanets dedicated hosting.
Posted by franciscocharrua, 09-08-2008, 01:30 AM He sais he has moved to various hosts, with different OS's. I would guess that the exploit is a PHP based one. Someone I know built a site that had include() take a direct parameter. Through the log files, I was able to see how some people got almost root shell access to the server, scary.
Posted by franciscocharrua, 09-08-2008, 09:14 AM There are serveral entries for 74.6.17.154. This ip doesn't seem to access any of your site's images, just the .php's. And, it seems to be accessing your site all day long. http://ws.arin.net/whois/?queryinput=74.6.17.154 for more info.
Posted by MikeDVB, 09-08-2008, 09:28 AM This would not be too difficult as many larger forums do this. Generally you would want to put your database on a single powerful server (or a cluster, if the need was there) and then connect remotely to the database from a few different web servers. This would be an expensive way to "survive" a DDOS, mind you. What is your site that is being DDOSed, and why have you not answered any of the questions that have been posed to you so far. If you do what is asked of you, it's likely that you could receive the help you are looking for.
Posted by Shazz, 09-08-2008, 10:51 AM Is this the attacker's IP? Can I take action against this? I posted the attachment log as everyone has asked.
Posted by jseymour, 09-08-2008, 11:35 AM No it looks like a yahoo Inktomi spider. If that spider is causing problems you can email them. I know several years back I had a google bot stuck on my site causing issues.
Posted by MikeDVB, 09-08-2008, 11:42 AM I've personally seen bots running in circles on one single site causing tremendously high loads. From the looks of it, you're not getting botnet'ed but bot'ed by Yahoo (and not intentionally). I agree, contact yahoo.
Posted by Dataworld, 09-08-2008, 01:33 PM I looked at your log and this is pretty simple to block using .htaccess.. add this to your .htaccess and it will give them 403 errors... which doesn't lag a server much. This code will allow most browsers and block the rest, if you have a browser being blocked you can always add another line. It will block 3/4 of that attack in your logs because they are using fake user agents such as Mozilla/7.6. If you want to block yahoo slurp attacks below this code add Deny from 74.6.0.0/16 SetEnvIfNoCase user-agent "^Mozilla/5.0 " good_bot SetEnvIfNoCase user-agent "^Mozilla/4.0 " good_bot SetEnvIfNoCase user-agent "^Microsoft " good_bot SetEnvIfNoCase user-agent "^Windows-" good_bot SetEnvIfNoCase user-agent "^NSPlayer/" good_bot SetEnvIfNoCase user-agent "^Opera/" good_bot SetEnvIfNoCase user-agent "^Gigabot/2.0" good_bot SetEnvIfNoCase user-agent "^Feedfetcher-Google;" good_bot Order Allow,Deny Allow from env=good_bot Regards, Bob
Posted by Shazz, 09-08-2008, 02:30 PM What is the best way of contacting yahoo? What exactly do I tell them? I will try getting my host to put me back online to try this. Sounds too easy copy pasting over
Posted by jseymour, 09-08-2008, 04:12 PM Look at the information here: http://help.yahoo.com/l/us/yahoo/search/webcrawler/ There is a contact tab on that page.
Posted by Shazz, 09-08-2008, 07:07 PM Bob this is not working
Posted by Shazz, 09-08-2008, 09:20 PM Update... I have put User-agent: Slurp Crawl-delay: 1000 In my robots.text file and inserted bob's code in .htaccess Im still getting attacked, there is someone still DDos'ing it Last edited by Shazz; 09-08-2008 at 09:30 PM.
Posted by Dataworld, 09-09-2008, 09:37 AM adding slurp to that will not help you. That code is allowing the listed user agents. You were also being attacked by normal user agents also, that's why I said only 3/4 of your log it would help. Could you post an updated log so can see what is being blocked and what is not? Regards, Bob
Posted by Shazz, 09-09-2008, 05:03 PM Host has kicked me off, I don't have acces to logs anymore. I think the yahoo crawlers are just spoofed somehow. Legit traffic of IP's are getting in, it seems he planted a trojan into peoples computers, allowing him access to execute any command he wants so hes got them in the background visiting 300 times a second.
Posted by Shazz, 09-09-2008, 05:16 PM Thank you for writing to Yahoo! Search. I understand that you're experiencing heavy traffic from Slurp, the Yahoo! Search crawler, on your site. Slurp crawls billions of sites each day and this type of traffic occurs because we are continually working to improve our index freshness and comprehensiveness. If you are interested in reducing the crawl rate for your site, you can place a crawl-delay in your robots.txt file specifying the number of seconds each crawler should wait between each request. For additional assistance on this topic, please visit the following sites: http://help.yahoo.com/help/us/ysearc.../slurp-03.html http://www.ysearchblog.com/archives/000078.html Again, we are sorry for any inconveniences we may have caused. If you need any further assistance, please reply to this email for additional support. Thank you again for contacting Yahoo! Search. Regards, Yasmen Yahoo! Search Customer Care -- Ive already Put this in!!
Posted by Frontpage1, 09-09-2008, 06:14 PM Most bizarre thread ever. Yahoo does not DDOS nor can people with a 'trojan' use Yahoo's IP address to attack you. If someone thinks they do, just firewall the IP or ban via .htaccess. Last edited by Frontpage1; 09-09-2008 at 06:18 PM.
Posted by Shazz, 09-10-2008, 12:34 AM lol... A firewwall or the 3 lines of code you just put out there there will stop this massive attack? You ban the IP it autmaitcally renews
Posted by QBert, 09-10-2008, 06:52 AM Then ban the whole range. I had to ban the whole Asian IP range for a month before an attacker forgot about me.
Posted by Shazz, 09-10-2008, 09:22 AM Ban the whole range? IP's that are banned automatically rewnew
Posted by Frontpage1, 09-10-2008, 10:52 AM Let me get this straight.. Yahoo is DDOS'ing you from IP's that 'automatically renew'?
Posted by Dataworld, 09-10-2008, 01:29 PM like I had posted above: If you want to block yahoo slurp attacks... add: Deny from 74.6.0.0/16 but looking at your other log it showed attacks not related to yahoo slurp.. the yahoo slurp was maybe 1% of the log. Bob
Posted by TheITAdvisory, 09-10-2008, 02:38 PM LOL - Hire a server security company and close this thread.
Posted by Shazz, 09-10-2008, 09:46 PM That yahoo crap is just a spoof. That didn't work. It also can't be simple to keep adding a few lines to stop this masssive attack Ive already hired enough people who have failed. Would you like to suggest someone? You seem to think its so simple
Posted by mistwang, 09-11-2008, 07:38 PM For this kind of attack, you need to find the right software/tools to do the following automatically, Detect which IP is wasting your server resource, usually by evaluating the aggressiveness of a IP.Slow attacker down.Block attacker with firewall automatically. Some tools to look into: mod_security, csf, fail2ban, etc. Also, try to make your site run as fast as possible, do something like converting a dynamic page to a cached static page, etc.
Posted by TheITAdvisory, 09-11-2008, 10:19 PM Are you on your own dedicated server yet? If not, no one will be able to help you. If you are, I can make a suggestion.
Posted by octagon, 09-12-2008, 11:22 AM Have you located a reason why this guy is bothering you?
Posted by brianoz, 09-16-2008, 08:05 AM It's not necessarily simple, I don't think anyone means to imply that; but if you hire the right person I think they'd take care of it for you. In the security world, you really get what you pay for - if you don't pay much I'm not surprised you haven't got a solution. Rack911, Configserver, Platinum servers, linuxtech, all good and well known companies and individuals, and none are that expensive (in Western terms, sorry if you are elsewhere). Some of them may agree to host the domain on their server while they solve it for you, which would make it easiest for everyone. The comment above - have you worked out why this person is attacking you - is a good point; sometimes the simplest solution is the human engineering one. Try talking to them, apologizing/negotiating etc, it can't hurt, if it's possible to do it ... one way to avoid being DDOSed is not to be controversial! Just trying to help... Last edited by brianoz; 09-16-2008 at 08:08 AM.
Posted by aww, 09-18-2008, 08:22 AM If the IPs keep changing the only easy way to deal with it are solutions like CSF and LiteSpeed (easy apache replacement). LiteSpeed's very smart about ddos and doesn't consume all ram and resources like apache during such attacks.