3

今天我的服务器上发生了一些非常奇怪的活动。我正在点击 Max Apache 连接,但找不到任何可能导致它的东西(我认为我没有受到 DOS 攻击或任何东西)。

我检查了我的 Apache 日志,发现了一些奇怪的东西。

第一的:

[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] --2013-08-13 09:41:13--  http://heatinasnap.net/gs.txt, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] 2013-08-13 09:41:13 ERROR 404: Not Found., referer: http://example.net/forum/index.php
[Tue Aug 13 09:41:13 2013] [error] [client 85.76.3.157] , referer: http://example.net/forum/index.php

[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] --2013-08-13 09:41:31--  http://heatinasnap.net/gs.txt, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] 2013-08-13 09:41:31 ERROR 404: Not Found., referer: http://example.net/members
[Tue Aug 13 09:41:31 2013] [error] [client 112.198.64.88] , referer: http://example.net/members

[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] --2013-08-13 09:41:33--  http://heatinasnap.net/gs.txt, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Resolving heatinasnap.net... 173.254.28.65, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] Connecting to heatinasnap.net|173.254.28.65|:80... connected., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] HTTP request sent, awaiting response... 404 Not Found, referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] 2013-08-13 09:41:33 ERROR 404: Not Found., referer: http://example.net/forum/viewtopic.php?f=9&t=6747
[Tue Aug 13 09:41:33 2013] [error] [client 141.138.54.172] , referer: http://example.net/forum/viewtopic.php?f=9&t=674

我不知道 heatinasnap.net 是什么(从未听说过)。

其次,某种漏洞扫描器:

[Tue Aug 13 09:41:40 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.mysite.net"] [uri "/"] [unique_id "UgpFpK339QIAAFT1Y2MAAAAC"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "55"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "mysite.net"] [uri "/406.shtml"] [unique_id "UgpFpa339QIAAGfpU5MAAAUD"]
[Tue Aug 13 09:41:41 2013] [error] [client 220.248.145.30] File does not exist: /home/hellohel/public_html/406.shtm

这是我当前的 apache 状态:

CPU Usage: u147.51 s128.44 cu2247.28 cs0 - 146% CPU load
147 requests/sec - 2.3 MB/second - 16.4 kB/request
512 requests currently being processed, 0 idle workers

我在 Apache 中没有看到任何 MaxClient 错误。肯定发生了一些奇怪的事情......有人可以提供一些见解吗?

更新:

apache 命中 max-clients 的原因原来是一个 slowloris DOS 攻击,它已通过 apache 修复Mod_Antiloris。在此处安装说明:

http://www.hostingdiscussion.com/hardware-server-configuration/27399-installing-mod_antiloris-mitigate-slowloris-dos-attack.html

更新2:

I am not sure if it was luck or not, but the slowloris thing just solved it for a few minutes. It went back to 512 (max) connections shortly after. I am seeing some very high CPU load on simple scripts so I am wondering if it has something to do with handling large log files. One is just a css file taking up `24.66 CPU`. Check out just a few processes:

Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  VHost   Request
0-0 31154   0/45/45 R   23.85   3   1   0.0 0.47    0.47    ?   ?   ..reading..
0-0 31154   0/36/36 _   24.66   0   1   0.0 0.43    0.43    81.152.251.175  mysite.net  GET /css/dwn.css HTTP/1.1
0-0 31154   0/33/33 R   23.92   2   179 0.0 0.69    0.69    ?   ?   ..reading..
0-0 31154   0/1/1   W   0.07    119 0   0.0 0.00    0.00    117.102.163.190 mysite.net  POST /includes/offers/ajax.php HTTP/1.1
0-0 31154   1/64/64 C   24.74   0   1   26.8    1.85    1.85    24.127.122.188  mysite.net  GET /images/soc.png HTTP/1.1
0-0 31154   0/51/51 _   24.87   0   899 0.0 0.78    0.78    86.111.144.194  mysite.net  GET /includes/offers/window.php?file=57860&tooltip=true HTTP/1.
0-0 31154   0/18/18 R   11.00   77  1   0.0 0.27    0.27    ?   ?   ..reading..
4

1 回答 1

0

看起来您的站点正在打开远程文件,因为这些消息表明您的 Apache 服务器正在通过 DNS 执行查找。

寻找错误代码

您需要弄清楚他们使用什么方法来访问该框。然后查看该代码并尝试找到不寻常的东西。exec()他们通常会使用和之类的东西base64_decode()来隐藏代码,然后您就可以grep使用它们。也grep适用于fopen(), fread(), file_get_contents(), 甚至curl_init(). 如果您在不期望它们的地方找到这些脚本中的任何一个,那么这将是您的漏洞。

您应该能够使用 、 、 、 和 之类的内容来查找框上conntrackdntopargusbro-ids流量sancp

尝试快速修复

进入php.ini文件并检查和的系统配置设置。看起来好像有人试图让您的网站从他们的网站(有效负载存在的地方)打开 txt 文件。allow_url_fopenallow_url_include

如果这些设置允许远程打开,那么这就是它们导致此行为的方式。很可能有人从他们的服务器打开了您服务器上的文件并导致了漏洞利用。

如果他们在您的盒子上有代码,那么您将需要清除盒子的内容并在文件修复后从您的一个备份中更新代码php.ini。否则,他们可能会尝试使用已托管的代码更改前端的设置,例如使用ini_set.

不更改代码或设置并从备份恢复不会阻止该行为。此外,您可以使用类似IPtables阻止所有出站请求heatinasnap.net及其解析的 IP [173.254.28.65]。

如果您正在使用类似的东西file_get_contents,将通过进行此更改来禁用它。另一方面,cURL使用自己的库,不会受到更改的影响。但是,服务器上的任何代码仍然可以使用 cURL,(即使它不是你的)。

DOS 攻击更新

由于您认为这是一个 DOS,因此您可以尝试使用mod_reqtimeout。好的设置是:

RequestReadTimeout header=10 body=30
于 2013-08-13T18:17:55.267 回答