+ Post New Thread
Results 1 to 11 of 11
General Chat Thread, Website Under Attack in General; Not sure how much info to put here Running school website on iis on server 2003 - wwwdotsaccdotnottsdotschdotuk - only ...
  1. #1

    Join Date
    Apr 2008
    Location
    Notts
    Posts
    54
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    13

    Website Under Attack

    Not sure how much info to put here

    Running school website on iis on server 2003 - wwwdotsaccdotnottsdotschdotuk - only port 80 mapped through firewall

    Website html with some asp, also runs moodle and sql forum

    Tuesday this week notice all internet for school very slow- router pings very high.

    Turns out webserver receiving massive traffic all to homepage - default.asp - literally millions of hits per day

    iis log (massive) all of the form

    2009-01-30 18:54:56 W3SVC1 WEBSITE 10.60.208.31 GET /Default.asp - 80 - 85.229.218.177 HTTP/1.0 - - - - 200 0 64 0 39 181

    hits coming from paraguay, sweden, mexico etc

    Learning about attacks very quickly.

    Has anyone any advice?

    Server currently offline will turn back on if needed

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,690
    Thank Post
    352
    Thanked 796 Times in 715 Posts
    Rep Power
    347
    First of all, check whether it's infected by some kind of virus/malware which is attracting the hits.

    Secondly, filter the list and obtain a list of IPs to send to your ISP for blocking at their end (useless blocking them at your end as you only have a small pipe and it will still be saturated).

    You should be fine after that.

  3. #3

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Secondly, filter the list and obtain a list of IPs to send to your ISP for blocking at their end
    If that isn't small I'd get the ISP to blackhole all traffic aimed at the web-server IP for a while.. figure out whether there is anything wrong locally and if not (or when fixed) get the web server moved to another address.

  4. #4

    Join Date
    Apr 2008
    Location
    Notts
    Posts
    54
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    When reconnected after a day everything ok - thought i'd fixed it - until a fixed time when all attacks started again

    Points to something on server attracting them

    Looked at port activity, ran virus scans to no avail

    Any ideas?

  5. #5

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    29
    Which version of Moodle are you using?

    Check you Moodle directory for any files which shouldnt be there, specifically look for any .php files which have been changed recently, or any files which were .html/.htm which are now .php

  6. #6

    Join Date
    Apr 2008
    Location
    Notts
    Posts
    54
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    moodle vers 1.914

  7. #7

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    29
    Have you found any new php files, are files edited recently?

    I would suggest deleting your moodle install directory, save config.php before doing this, then stick a fresh copy of moodle in its place and add your config.php and replace any cutom blocks or code you have added.

    I've heard of similar attacks on moodle....

  8. #8

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    29
    Google has cached your Moodle site and tells me its 1.8.1, so i 99% gurantee moodle is your problem!

  9. #9

    Join Date
    Apr 2008
    Location
    Notts
    Posts
    54
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    what exactly might these edits look like?????

  10. #10

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    29
    I dont know exactly, without being able to look at your server /moodle directory, pm me ftp details and ill have a quick look if you like?.

    Essentialy a number of .php files will either be added with similar names to existing Moodle files or existing files will be edited to include a line like below:

    */function tdo(){echo base64_decode('hu4fhr6jsbskai94

    Can you do a grep for base64_decode?

  11. #11

    Join Date
    Apr 2008
    Location
    Notts
    Posts
    54
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    Tried all above all virus/malware/rootkit sweeps blank

    Internet provider has been very helpful has blocked main culprits

    Used wireshark to grab packets attacking port 80 literally millions

    Loads containing text 'you've been owned'

    I would greatly appreciate any views on the following options;

    Move server to a new external ip - but what attracted them in the first place?

    Wipe server and reinstall - but if code is in php/asp web pages when they are restored will it all start again

    Any other suggestions?

SHARE:
+ Post New Thread

Similar Threads

  1. [Video] When Cats attack !!!!!
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 10th October 2008, 02:32 PM
  2. browser clipboard attack
    By RabbieBurns in forum IT News
    Replies: 0
    Last Post: 19th August 2008, 01:56 PM
  3. Fake IE7 attack surfaces
    By FN-GM in forum IT News
    Replies: 1
    Last Post: 12th August 2008, 02:43 PM
  4. Vista Speech Recognition Attack
    By FN-GM in forum Windows Vista
    Replies: 0
    Last Post: 22nd June 2007, 04:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •