Server Attacked!!!

Discussion in 'General' started by alexillsley, Mar 18, 2007.

  1. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Hello,
    My server has been attacked by a load of sad ass wholes. They have started flooding my cache with crap it got up to 180mb in size still increasing. They also flodded the [email protected] email account with thousands of emails. So i have switched off my server for now disruppting my service for everyone:mad:

    How can you flush/empty the cache? How can i remove the [email protected] email account?


    Have you got any idea how they are flodding my cache? Also how can i specific ip's from accessing my server?

    Please help,
    Alex
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What cache are you referring to?

    I don't think this is a good idea as all the important system messages are sent to root.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you talking about the mailqueue? Message in the mailqueue can be deleted and listed with the "postqueue" command.

    I'am pretty sure that these messages are not send directly to [email protected], so you should check in the mail log to which accounts the emails are sent originally.
     
  4. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    First about the cache i mean this :
    [​IMG]
     
  5. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Also how can i ban there ip from any requests to my server
     
  6. bschultz

    bschultz Member

    If you know the IP address, add it to /etc/hosts.deny
     
  7. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    :) Thanks alot, works very well. I put ntop on my server so i can see who is using lots of traffic if they try to dos attack me

    Any idea how to empty the cached show picture above?
     
    Last edited: Mar 18, 2007
  8. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    top
    and
    Code:
    cat /proc/meminfo
    ?
     
  9. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Memory Info:
    Code:
    MemTotal:       515628 kB
    MemFree:         80540 kB
    Buffers:         26844 kB
    Cached:         216944 kB
    SwapCached:        672 kB
    Active:         300132 kB
    Inactive:       103272 kB
    HighTotal:           0 kB
    HighFree:            0 kB
    LowTotal:       515628 kB
    LowFree:         80540 kB
    SwapTotal:      513976 kB
    SwapFree:       512308 kB
    Dirty:             168 kB
    Writeback:           0 kB
    AnonPages:      159004 kB
    Mapped:          53604 kB
    Slab:            24732 kB
    PageTables:       2088 kB
    NFS_Unstable:        0 kB
    Bounce:              0 kB
    CommitLimit:    771788 kB
    Committed_AS:   558064 kB
    VmallocTotal:   507896 kB
    VmallocUsed:      5528 kB
    VmallocChunk:   501112 kB
    HugePages_Total:     0
    HugePages_Free:      0
    HugePages_Rsvd:      0
    Hugepagesize:     4096 kB
    Process Info:
    Code:
      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
        1 root      15   0   724  184  140 S    0  0.0   0:01.67 init
        2 root      RT   0     0    0    0 S    0  0.0   0:00.02 migration/0
        3 root      38  19     0    0    0 S    0  0.0   0:00.00 ksoftirqd/0
        4 root      RT   0     0    0    0 S    0  0.0   0:00.01 migration/1
        5 root      34  19     0    0    0 S    0  0.0   0:00.00 ksoftirqd/1
        6 root      10  -5     0    0    0 S    0  0.0   0:00.02 events/0
        7 root      10  -5     0    0    0 S    0  0.0   0:00.08 events/1
        8 root      10  -5     0    0    0 S    0  0.0   0:00.00 khelper
        9 root      10  -5     0    0    0 S    0  0.0   0:00.00 kthread
       13 root      12  -5     0    0    0 S    0  0.0   0:00.07 kblockd/0
       14 root      10  -5     0    0    0 S    0  0.0   0:00.04 kblockd/1
       15 root      14  -5     0    0    0 S    0  0.0   0:00.00 kacpid
       90 root      12  -5     0    0    0 S    0  0.0   0:00.00 cqueue/0
       91 root      13  -5     0    0    0 S    0  0.0   0:00.00 cqueue/1
       92 root      10  -5     0    0    0 S    0  0.0   0:00.01 kseriod
      130 root      17   0     0    0    0 S    0  0.0   0:00.00 pdflush
      131 root      15   0     0    0    0 S    0  0.0   0:00.13 pdflush
      132 root      10  -5     0    0    0 S    0  0.0   0:01.28 kswapd0
      133 root      12  -5     0    0    0 S    0  0.0   0:00.00 aio/0
      134 root      13  -5     0    0    0 S    0  0.0   0:00.00 aio/1
      381 root      11  -5     0    0    0 S    0  0.0   0:00.00 kpsmoused
      849 root      13  -5     0    0    0 S    0  0.0   0:00.00 md1_raid1
      855 root      12  -5     0    0    0 S    0  0.0   0:03.80 md2_raid1
      874 root      12  -5     0    0    0 S    0  0.0   0:01.01 kjournald
      930 root      12  -4  1832  452  336 S    0  0.1   0:00.44 udevd
     1537 root      10  -5     0    0    0 S    0  0.0   0:00.00 khpsbpkt
     1586 root      12  -5     0    0    0 S    0  0.0   0:00.02 kgameportd
     1594 root      10  -5     0    0    0 S    0  0.0   0:00.00 khubd
     1600 root      15   0     0    0    0 S    0  0.0   0:00.00 knodemgrd_0
     1606 root      10  -5     0    0    0 S    0  0.0   0:00.00 kedac
     1927 root      10  -5     0    0    0 S    0  0.0   0:00.00 md0_raid1
     1971 root      10  -5     0    0    0 S    0  0.0   0:00.00 kjournald
     1973 root      10  -5     0    0    0 S    0  0.0   0:02.30 kjournald
     2271 root      18   0  1596  364  280 S    0  0.1   0:00.03 irqbalance
     2285 root      16   0  1876  688  560 S    0  0.1   0:00.01 resmgrd
     2294 root      15   0  1724  540  336 S    0  0.1   0:00.00 klogd
     2309 root      15   0  2104  808  600 S    0  0.2   0:06.53 syslog-ng
    How can i get the mail service working again, aswell, when ever i enabled i start getting spammed with inslusting messages:
     
    Last edited: Apr 2, 2007
  10. falko

    falko Super Moderator ISPConfig Developer

    You didn't post the beginning of top's output which contains the details I was looking for (memory usage, etc.)...

    Check your mail queue with
    Code:
    postqueue -p
    if there are lots of spam mails in there. If so, you can delete the spam mails with the postqueue/postsuper commands.
     
  11. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Wooo, The postqueue is absoloutley massive, its been running for about 5 minutes and its still going listing the spam emails, all the emails are to one person. It appears that someone has been trying to flood someones email inbox.

    Is there anyway to clear all this email?

    Also just for intrest is there anyway to see how many emails are in the postqueue?
     
  12. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    i am NOT 100% shure, but if you use MailDirs every mail is in the maildir of the "special" user.

    every file is one mail.

    I tried to delete one file (for example with "mc") and this works fine. deleting ALL files will delete all emails of this email-address.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, use this command:

    Code:
    mailq | tail +2 | awk 'BEGIN { RS = "" }
    # $7=sender, $8=recipient1, $9=recipient2
    { if ($8 == "[email protected]")
    print $1 }
    ' | tr -d '*!' | postsuper -d -
    The above is just one command, replace [email protected] with the email address of the recipient that shall receive the emails. Then copy all the lines above exactly as they are at once (in one block!) to your putty window and hit return.

    Yes, but at the end of the postqueue run :-(
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    As long as the emails are displayed by the postqueue command, they are not delivered yet to a maildir.
     
  15. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Thanks ill try that

    Just reached the end of the postque its very big! -> -- 31968 Kbytes in 104345 Requests.
     
  16. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    :) :) Thank you ever so much again till, you have saved my server:) :)

    All the mail has been deleted and it is now running as normal. I know that they sent this mail through a php script on a loop. There accounts have now been terminated. Is there anyway to stop the php mail function working for certain users, so that next time if there is someone i dont fully trust i can remove there mail access?

    Thanks again, everyone you have saved my server!
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    If I remember correctly, there is a setting in the php.ini that defines the functions which are not allowed when php safemode is enabled. If you define this setting in the apache directives field to override the defualt in the php.ini, you might be able to disallow the use of the mail function.
     
  18. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    i am not really sure, but i don't think, you must have safemode = on. this setting works also without safemode. i think i remember, this is a REPLACEMENT of safemode=on (this and some other settings in combination)
     
  19. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Would this be in the vhosts file then? That seems to have the most apache settings for the sites
     
  20. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    this depends of your installation.
    the "normal" place is the php.ini.
    if you override this in your vhosts, fell free to do it ;-)
     

Share This Page