Hacker attack makes website offline

ejxt · Jul 29, 2011

Hello!

Suddenly my website was offline, but there was not a DDoS attack or anything, bandwidth and connection as fine. Tried to restart, didn't help.. couldn't access the admin port either. So I took a look at error.log and found this:

Code:

2011-07-29 17:16:19.469 [INFO] [82.177.103.30:58427-0#Example] File not found [/usr/local/lsws/DEFAULT/html/login.htm]
2011-07-29 17:16:19.470 [INFO] [82.177.103.30:58428-0#Example] File not found [/usr/local/lsws/DEFAULT/html/login.html]
2011-07-29 17:16:19.470 [INFO] [82.177.103.30:58429-0#Example] File not found [/usr/local/lsws/DEFAULT/html/login/]
2011-07-29 17:16:19.659 [INFO] [82.177.103.30:58430-0#Example] File not found [/usr/local/lsws/DEFAULT/html/login.php]
2011-07-29 17:16:19.660 [INFO] [82.177.103.30:58431-0#Example] File not found [/usr/local/lsws/DEFAULT/html/login.asp]
2011-07-29 17:16:19.661 [INFO] [82.177.103.30:58432-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adm/]
2011-07-29 17:16:19.661 [INFO] [82.177.103.30:58434-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/account.html]
2011-07-29 17:16:19.661 [INFO] [82.177.103.30:58433-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/]
2011-07-29 17:16:19.799 [INFO] [82.177.103.30:58436-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/login.html]
2011-07-29 17:16:19.800 [INFO] [82.177.103.30:58435-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/login.htm]
2011-07-29 17:16:19.800 [INFO] [82.177.103.30:58437-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/home.php]
2011-07-29 17:16:19.800 [INFO] [82.177.103.30:58438-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/home.asp]
2011-07-29 17:16:19.800 [INFO] [82.177.103.30:58439-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/controlpanel.html]
2011-07-29 17:16:19.905 [INFO] [82.177.103.30:58440-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/controlpanel.htm]
2011-07-29 17:16:19.905 [INFO] [82.177.103.30:58441-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/cp.php]
2011-07-29 17:16:19.908 [INFO] [82.177.103.30:58442-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/cp.asp]
2011-07-29 17:16:19.908 [INFO] [82.177.103.30:58443-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/adminLogin.html]
2011-07-29 17:16:22.912 [INFO] [82.177.103.30:58444-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/adminLogin.htm]
2011-07-29 17:16:23.003 [INFO] [82.177.103.30:58445-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin_login.php]
2011-07-29 17:16:23.003 [INFO] [82.177.103.30:58446-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin_login.asp]
2011-07-29 17:16:23.010 [INFO] [82.177.103.30:58449-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/controlpanel.php]
2011-07-29 17:16:23.019 [INFO] [82.177.103.30:58448-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/controlpanel.asp]
2011-07-29 17:16:23.019 [INFO] [82.177.103.30:58447-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin-login.php]
2011-07-29 17:16:23.123 [INFO] [82.177.103.30:58450-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin-login.asp]
2011-07-29 17:16:23.123 [INFO] [82.177.103.30:58451-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin-login.php]
2011-07-29 17:16:23.123 [INFO] [82.177.103.30:58453-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin-login.asp]
2011-07-29 17:16:23.273 [INFO] [82.177.103.30:58457-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/account.php]
2011-07-29 17:16:26.097 [INFO] [82.177.103.30:58452-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/account.asp]
2011-07-29 17:16:26.117 [INFO] [82.177.103.30:58454-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin.php]
2011-07-29 17:16:26.174 [INFO] [82.177.103.30:58459-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin/admin.asp]
2011-07-29 17:16:26.227 [INFO] [82.177.103.30:58460-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin.htm]
2011-07-29 17:16:26.233 [INFO] [82.177.103.30:58455-0#Example] File not found [/usr/local/lsws/DEFAULT/html/admin.html]
2011-07-29 17:16:26.233 [INFO] [82.177.103.30:58456-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitem/]
2011-07-29 17:16:26.286 [INFO] [82.177.103.30:58461-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitem.php]
2011-07-29 17:16:26.307 [INFO] [82.177.103.30:58462-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitem.asp]
2011-07-29 17:16:26.327 [INFO] [82.177.103.30:58463-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitems/]
2011-07-29 17:16:26.353 [INFO] [82.177.103.30:58464-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitems.php]
2011-07-29 17:16:26.374 [INFO] [82.177.103.30:58458-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminitems.asp]
2011-07-29 17:16:26.402 [INFO] [82.177.103.30:58465-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administrator/]
2011-07-29 17:16:26.421 [INFO] [82.177.103.30:58466-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administrator/login.php]
2011-07-29 17:16:26.428 [INFO] [82.177.103.30:58467-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administrator/login.asp]
2011-07-29 17:16:26.446 [INFO] [82.177.103.30:58468-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administrator.php]
2011-07-29 17:16:26.550 [INFO] [82.177.103.30:58469-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administrator.asp]
2011-07-29 17:16:26.550 [INFO] [82.177.103.30:58470-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administration/]
2011-07-29 17:16:26.553 [INFO] [82.177.103.30:58471-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administration.php]
2011-07-29 17:16:26.602 [INFO] [82.177.103.30:58472-0#Example] File not found [/usr/local/lsws/DEFAULT/html/administration.asp]
2011-07-29 17:16:29.577 [INFO] [82.177.103.30:58473-0#Example] File not found [/usr/local/lsws/DEFAULT/html/adminLogin/]
2011-07-29 17:17:25.339 [INFO] [82.177.103.30:58861-0] Status 400: '../' in URL: /..stem/..che/........................................................................../..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/..!

It also looks like this in error.log:

Code:

2011-07-29 17:28:15.504 [NOTICE] [83.227.71.165:50221-0#Example] Content len: 0, Request line: 'GET / HTTP/1.1'
2011-07-29 17:28:15.504 [INFO] [83.227.71.165:50221-0#Example] Cookie len: 131, mstnc=1; phpbb3_ewxo1_k=; PHPSESSID=g3s4u9qhv810uh5o2rn16bd1p2; phpbb3_ewxo1_u=1; phpbb3_ewxo1_sid=612f9be13f6aa9b69a8e99337baacf2c
2011-07-29 17:28:15.504 [INFO] [83.227.71.165:50221-0#Example] HttpExtConnector state: 8, request body sent: 0, response body size: 0, response body sent:0, left in buffer: 0, attempts: 0.
2011-07-29 17:29:06.486 [INFO] [119.63.196.85:62615-0#Example] Connection idle time: 31 while in state: 5 watching for event: 25,close!
2011-07-29 17:29:06.486 [NOTICE] [119.63.196.85:62615-0#Example] Content len: 0, Request line: 'GET /index.php/character/view/ HTTP/1.1'
2011-07-29 17:29:06.486 [INFO] [119.63.196.85:62615-0#Example] Cookie len: 37, PHPSESSID=n4lqfcijqvl02saq9pkcl4pga2;
2011-07-29 17:29:06.486 [INFO] [119.63.196.85:62615-0#Example] HttpExtConnector state: 8, request body sent: 0, response body size: 0, response body sent:0, left in buffer: 0, attempts: 0.
2011-07-29 17:29:44.022 [INFO] [66.249.72.14:57559-0#Example] Connection idle time: 31 while in state: 5 watching for event: 25,close!
2011-07-29 17:29:44.022 [NOTICE] [66.249.72.14:57559-0#Example] Content len: 0, Request line: 'GET /index.php/character/view/Arthas HTTP/1.1'
2011-07-29 17:29:44.028 [INFO] [66.249.72.14:57559-0#Example] HttpExtConnector state: 8, request body sent: 0, response body size: 0, response body sent:0, left in buffer: 0, attempts: 0.

This is just a few of the maaany lines that was spitting out there each second. I guess this is the reason why I can't reach my website.

Any ideas how I can block such attacks?

Thanks in advance!

mistwang · Jul 29, 2011

http://www.litespeedtech.com/how-tos.html#qa_dos
install CSF, block those IP at firewall.

ejxt · Jul 29, 2011

Thanks for your reply,

I blocked 82.177.103.30 in CSF at the time as saw this, but it didn't help... it ended about 5 minutes after I blocked it though, but don't know if that was thanks to CSF or because he stoped.

Anyways, I checked the link you gave me and this is the configurations I have (and had under the attack):
TUNING:
Connection Timeout (secs): 30
Keep-Alive Timeout (secs): 4
Max Keep-Alive Requests: 100
Max Request URL Length (bytes): 2048
Max Request Header Size (bytes): 4098
Max Request Body Size (bytes): 100M
Max Dynamic Response Header Size (bytes): 4K
Max Dynamic Response Body Size (bytes): 100M

SECURITY:
Static Requests/second: 20
Dynamic Requests/second: 3
Outbound Bandwidth (bytes/sec): 2000K
Inbound Bandwidth (bytes/sec): 2000K
Connection Soft Limit: 7
Connection Hard Limit: 30
Grace Period (sec): 15
Banned Period (sec): 60

This is my website: w ww. z a nt e r a . n e t (without spaces ofc), it's a quite "normal" site that doesn't make very much heavy queries or so, just showing information collected from MySQL database mostly, and writing some as well.

Can anyone see any improvements I can make in my configurations?

Thanks in advance!

Hacker attack makes website offline

ejxt

New Member

mistwang

LiteSpeed Staff

ejxt

New Member