Server attack help

horse[USA] · Unread post by **horse[USA]** » Mon Feb 07, 2005 6:50 pm

This moring i went to check my site and had mysql error of to many connections. I ssh into it and server was at 70 load I shut it down. This happened once before and from the logs it looks like an attack on phpBB which I have had patched. Is there anyway to avoid this attack which shuts the server down, but no data is lost or pages changed.
the highlight exploit is what is used.

The site goes down due to so many connections, there are lots and lots and lots ips connection with the same request.
Any help to keep this from happening again would be great.
thanks
david

Unread post by **scott** » Mon Feb 07, 2005 8:54 pm

Thats something I've seen on other servers before, unfortunately in their case that was because they were the source of the attack. Id definitely grab one of the rootkit detection tools to make sure your system hasnt been compromised:

www.chkrootkit.org is a good one

Long term, we're working on adding mod_security to the Security archive soon, which should be able to detect and stop attacks like this. Grsec would also go a long way into preventing this type of attack.

horse[USA] · Unread post by **horse[USA]** » Mon Feb 07, 2005 10:00 pm

did a chkroot and rootkit check
here is chkrootkit log
http://beta.ww2aircraft.net/chkrootkit.log
reports possible lkm trojan
./chkrootkit -x lkm command result
http://beta.ww2aircraft.net/chkrootlkm.log
and rootkit
reports no lkm
http://beta.ww2aircraft.net/rkhunter.log

your help would be great, and I will signup for your security package, but don't want to install onto a compromised system
thanks