Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Hack attempt from the server ip itself


Hack attempt from the server ip itself




Posted by DAWN1404, 09-30-2012, 02:28 AM
Hello, We had a ddos attack on the server and I've blocked it by mod_evasive and CSF firewall. But this time the attacker comes with the server ip itself so the firewall is not able to block it. and x.x.x.x is the server ip itself. Attacker just reads 4 image files continiously. What is this kind and how can I stop it?
Posted by Larry, 09-30-2012, 08:41 AM
It's probably not a DDoS attack since it's coming from the server itself. A DDoS attack typically involves multiple IPs. Run the following command from SSH and paste the results here. netstat -anpl | grep ':80' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n There's not enough information to give an accurate answer here.
Posted by DAWN1404, 09-30-2012, 09:28 AM
Hello, Thank you for your answer the result for netstat -anpl | grep ':80' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort is : x.x.x.x is my server ip ! the server is working but the load is high and today gone down for two time. Last edited by DAWN1404; 09-30-2012 at 09:32 AM.
Posted by pmabraham, 09-30-2012, 09:49 AM
Good day: Are the images on the server itself? If yes, are they for a specific site? If yes, do the site's logs (transfer / access and error) reveal more information? If yes for a specific site, then is the site's software completely up to date? Does the site have a .htaccess file to help ward off common attacks? IF not to a specific site, have you reviewed the server access and error logs for more information? Is the server secured (hardened)? Since hardening is not a one time project, when was the last time security was updated? Thank you.
Posted by DAWN1404, 09-30-2012, 10:01 AM
Hello, Yes images are on the server itself. On a specific site, and the one strange thing I see in the (error logs and domlogs) is that contiguous constant image loads with no referrer which is loading from the server IP itself? How can I find how the server is reading them ? That specific site is a wordpress site and is upgraded to last stable version. About .htaccess against attack I don't know what do you mean ? The server is protected and checked continiously and mod_evasive,mod_security,csf,clamAV is installed and active on it. Is there any way for me to understand what is loading this 4 images ? Thank you
Posted by pmabraham, 09-30-2012, 10:09 AM
Good day: See http://codex.wordpress.org/Hardening_WordPress and http://codex.wordpress.org/Changing_File_Permissions I would check the site in question for back doors and hacks. You may also want to put the site URL on http://sitecheck.sucuri.net/scanner/ to see if Sucuri's scanner finds anything. You could run lsof -p against the process id for httpd (apache) you hunt down via "ps -efl" and "netstat -anpe" to find out more about what's going on site wide. "The server is protected and checked continiously and mod_evasive,mod_security,csf,clamAV is installed and active on it." Protected and hardened are not necessarily the same. Keeping security up to date requires a security administrator to keep the security up to date. Typically the security admin would track such an issue you are facing down. Thank you.
Posted by DAWN1404, 09-30-2012, 10:21 AM
Thank you very much for your help.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Rack911 (Views: 724)
Looking for Offshore VPS (Views: 763)
OVH vrack experience (Views: 774)
Advertising (Views: 716)
.htaccess security (777) for form uploads (Views: 817)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.