store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Dec 15, 2019 7:35 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Attack HELP!
Unread postPosted: Mon Oct 27, 2014 12:06 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 85
I am getting (attacked or so it seems) and I am not quite sure what to do about it. Apache seems to become overwhelmed and unresponsive. Then apachectl commands give output such as the following:
/usr/sbin/apachectl: line 102: 8550 Segmentation fault $HTTPD $OPTIONS -k $ARGV
I have to manually kill httpd to get it working again.
When this "attack" happens I see a spike in root activity. I also see a lot of root sshd processes in top using ~100m of memory. and a lot of rsync processes as well.
Not sure how to approach this. Any ideas?
Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: Attack HELP!
Unread postPosted: Mon Oct 27, 2014 12:33 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
What you describe may be terrible or may be benign. I'm not sure what to suggest really, but you have some experts on hand in the forum who will no doubt offer sensible advice.

You can often prevent apache overload by reducing max_clients in httpd.conf - you may need far fewer than you might imagine.

Other than that, maybe try some of the following in case it helps you to get a handle on things:

Use netstat (e.g. netstat -apvnl) to see what IPs might be connecting to port 22 (ssh) and make a note of them (this is assuming there are connections, which from your post might be the case).

Close sshd port 22 to all but your own IPs to start with, just in case (note that depending on a few things, existing connections will not be stopped because they are not "state = new")

Check your ASL logs for the IP(s) in question to see if it helps you figure out where/how they got in.

Use clamdscan to scan first /var/www/vhosts then the whole system.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group