达到Max APache连接 - 我被黑了吗?

时间:2013-08-13 17:20:11

标签: php apache

今天我的服务器上发生了一些非常奇怪的活动。我正在使用Max Apache连接,但找不到任何可能导致它的东西(我不认为我受到DOS攻击或其他任何事情)。

我检查了我的Apache日志,发现了一些奇怪的东西。

首先:

[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] --2013-08-13 09:41:13--  http://heatinasnap.net/gs.txt, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] 2013-08-13 09:41:13 ERROR 404: Not Found., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] , referer: http://example.net/forum/index.php

[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] --2013-08-13 09:41:31--  http://heatinasnap.net/gs.txt, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] 2013-08-13 09:41:31 ERROR 404: Not Found., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] , referer: http://example.net/members

[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] --2013-08-13 09:41:33--  http://heatinasnap.net/gs.txt, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] 2013-08-13 09:41:33 ERROR 404: Not Found., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] , referer: http://example.net/forum/viewtopic.php?f=9&t=674

我不知道什么是heatinasnap.net(从未听说过)。

第二,某种漏洞扫描程序:

[Tue Aug 13 09:41:40 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.mysite.net"] [uri "/"] [unique_id "UgpFpK339QIAAFT1Y2MAAAAC"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "mysite.net"] [uri "/406.shtml"] [unique_id "UgpFpa339QIAAGfpU5MAAAUD"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] File does not exist: /home/hellohel/public_html/406.shtm

这是我目前的apache状态:

CPU Usage: u147.51 s128.44 cu2247.28 cs0 - 146% CPU load
147 requests/sec - 2.3 MB/second - 16.4 kB/request
512 requests currently being processed, 0 idle workers

我没有看到Apache中的任何MaxClient错误。肯定有一些奇怪的事情......任何人都可以提供一些见解吗?

更新

apache命中max-clients的原因结果是一个slowloris DOS攻击,用apache Mod_Antiloris修复了。在这里安装说明:

http://www.hostingdiscussion.com/hardware-server-configuration/27399-installing-mod_antiloris-mitigate-slowloris-dos-attack.html

UPDATE2: 

I am not sure if it was luck or not, but the slowloris thing just solved it for a few minutes. It went back to 512 (max) connections shortly after. I am seeing some very high CPU load on simple scripts so I am wondering if it has something to do with handling large log files. One is just a css file taking up `24.66 CPU`. Check out just a few processes:

Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  VHost   Request
0-0 31154   0/45/45 R   23.85   3   1   0.0 0.47    0.47    ?   ?   ..reading..
0-0 31154   0/36/36 _   24.66   0   1   0.0 0.43    0.43    81.152.251.175  mysite.net  GET /css/dwn.css HTTP/1.1
0-0 31154   0/33/33 R   23.92   2   179 0.0 0.69    0.69    ?   ?   ..reading..
0-0 31154   0/1/1   W   0.07    119 0   0.0 0.00    0.00    117.102.163.190 mysite.net  POST /includes/offers/ajax.php HTTP/1.1
0-0 31154   1/64/64 C   24.74   0   1   26.8    1.85    1.85    24.127.122.188  mysite.net  GET /images/soc.png HTTP/1.1
0-0 31154   0/51/51 _   24.87   0   899 0.0 0.78    0.78    86.111.144.194  mysite.net  GET /includes/offers/window.php?file=57860&tooltip=true HTTP/1.
0-0 31154   0/18/18 R   11.00   77  1   0.0 0.27    0.27    ?   ?   ..reading..

1 个答案:

答案 0 :(得分:0)

看起来您的网站正在打开远程文件,因为这些消息表明您的Apache服务器正在通过DNS执行查找。

查找错误代码

您需要弄清楚他们使用什么方法来访问该框。然后查看该代码并尝试找到与众不同的东西。他们通常会使用exec()base64_decode()之类的内容来隐藏代码,然后您可以grep来查找代码。对grepfopen()fread()甚至file_get_contents()等内容也curl_init()。如果您在不期望它们的地方找到任何这些脚本,那么这将是您的利用。

您应该可以使用conntrackdntopargusbro-idssancp等内容查找包装箱上的出站流量。< / p>

尝试快速修复

转到php.ini文件和allow_url_fopen allow_url_includephp.ini。看起来好像有人试图让你的网站从他们的网站打开txt文件(有效负载存在的地方)。

如果这些设置允许远程打开,那么这就是它们导致此行为的方式。有人很可能从他们的服务器上打开了服务器上的文件并导致漏洞利用。

如果他们的盒子上有代码,那么您需要清除该框的内容,并在修复ini_set文件后更新备份中的代码。否则,他们可以尝试使用IPtables之类的内容使用已托管的代码更改前端的设置。

不对代码或设置进行更改并从备份还原不会阻止此行为。此外,您可以使用heatinasnap.net之类的内容来阻止对file_get_contents及其解析的IP [173.254.28.65]的所有出站请求。

如果您使用RequestReadTimeout header=10 body=30 之类的内容,则会通过进行此更改来禁用它。另一方面,cURL check the system configuration settings并不会受到变化的影响。服务器上的任何代码仍然可以使用cURL(即使它不是你的)。

DOS攻击更新

由于您认为这是DOS,您可以尝试使用uses its own libraries。好的设置是:

{{1}}
相关问题
最新问题