Help my server is doing a DoS on google

Tim Writer tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org
Sat Feb 11 00:02:28 UTC 2006


Neil Watson <tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> writes:

> On Fri, Feb 10, 2006 at 05:59:11PM -0500, Robert F. Kennedy wrote:
> >My RH9 updated (now) server running Apache, Postfix, Mailman (older
> >version), Mambo(older version) (PHP & MySQL), and DNS is sending out hits to
> >www.google.com at a crazy rate. When I do a Top command there are many Perl
> >processes running under user Apache. I've been notified by a group that
> >reports abuse that it is an irc bot let in through a file called xx.txt.
> >I've been searching for solutions to this problem but so far all I've gotten
> >is that I must update Mambo. I'll do that but is there any other way in the
> >meantime to kill the source of these DOS attacks coming from my server?
> 
> First, unplug it from the network.  If your server has been compromised
> the only safe procedure is to the format the drive and reinstall the OS.

I'd like to second this. The other solutions suggested in this thread should
be considered as very short term (i.e. hours not days) stop gap
measures. When you reinstall, you should take steps to harden your server --
don't just reinstall what you had before -- and keep it up to
date. Otherwise, you'll be right back where you started from.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
647.722.5301                                      toronto, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list