Jump to content

Recommended Posts

Hello, I've been a TCH customer for several years...5 or 6 now, I think...and I suddenly find myself in a situation I don't know how to handle. My site has been attacked - it looks like its some sort of brute force attack to gain access.

 

So far, it looks like they have failed to crack any passwords - they're just hitting my site user login/new account page over and over, but what I don't understand is how this has resulted in 65GB of data being downloaded from my server???

 

This caused a warning to be sent to me that my server bandwidth usage had exceeded 80%, and that brought the issue to my attention.

 

I've blocked the IPs via CPANEL and NukeSentinel, but I see in the error logs that the attack is still underway.

 

I've submitted an abuse support ticket to TCH.

 

I've sent an email to the US hosting service where the attack appears to have initially originated, but this brute force attack seems to have started with a US company and then moved to a French domain where the bulk of it is now originating. I don't habla any français, so I don't know what to do about that...

 

What does a *regular* person do when this stuff happens? I run a small site to advertise my music production business. This is my presence on the web. I can't afford to shut down my site.

 

I guess the biggest thing I'm wondering is, how do I make it so I am warned sooner when something like this is happening? TCH auto-warned me when my site had hit 80% of bandwidth. How can I make it so that a huge spike in traffic above the normal average sends me an email so I can investigate and block it? Certainly that would be to the benefit of TCH as well as me?

 

I can see from the error logs that they are still attacking...but hopefully those IP blocks are doing what they are supposed to now. Though it makes me wonder if the attack is still sucking up my bandwidth and hurting the server even if the IPs are being denied...?

 

Hackers suck. :)

Link to post
Share on other sites
what I don't understand is how this has resulted in 65GB of data being downloaded from my server???

It seems like they must be getting a full page with some sort of content on it for their failed login attempts. If it's a 40KB page, 1 million requests would send out 40GB. Do your logs show a million requests? Yikes!

 

I've blocked the IPs via CPANEL

By manually editing .htaccess (but don't do it if you use the FrontPage Extensions) and adding "deny from" lines, you can block entire ranges of IPs if necessary.

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

 

if the attack is still sucking up my bandwidth and hurting the server even if the IPs are being denied...?

In addition to blocking the IPs, you can specify that nothing, not even an error page, is sent out to "403 - Forbidden" requests. This line in .htaccess will do it. It says that a 403 Forbidden page will consist of a single space character along with the 403 response header, which will greatly reduce the bandwidth consumed by these malicious requests. The requester gets a blank page. Bandwidth reported for each request is 1 byte:

 

ErrorDocument 403 " "

 

how do I make it so I am warned sooner when something like this is happening?

I check cPanel > Latest Visitors at least once a day in an attempt to notice things like this. Bandwidth report and error report are two other places where they'd show up.

 

How can I make it so that a huge spike in traffic above the normal average sends me an email so I can investigate and block it?

I'm not sure where the bandwidth data is stored, but if it's within your website in a file readable by PHP, it might be possible to write a PHP script that would check periodically and send you an email if it's rising faster than some threshold. Alternatively, you could add a section of PHP to each page (such as in a header) that does your own tally of bandwidth (or even just the number of requests). Keep a data file with the running total. The PHP script would update the total either increasing it by 1 (number of requests) or by the size of that page (more involved). Then when a threshold is reached, it could send you an email and reset the totals to 0.

 

I can see from the error logs that they are still attacking...but hopefully those IP blocks are doing what they are supposed to now.

You can verify what's happening at Latest Visitors.

Also turn on log archiving so they aren't deleted every day. Then you can go through them sometimes to see what's been going on.

Edited by SteveW
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...