Not sure how much info to put here
Running school website on iis on server 2003 - wwwdotsaccdotnottsdotschdotuk - only port 80 mapped through firewall
Website html with some asp, also runs moodle and sql forum
Tuesday this week notice all internet for school very slow- router pings very high.
Turns out webserver receiving massive traffic all to homepage - default.asp - literally millions of hits per day
iis log (massive) all of the form
2009-01-30 18:54:56 W3SVC1 WEBSITE 10.60.208.31 GET /Default.asp - 80 - 85.229.218.177 HTTP/1.0 - - - - 200 0 64 0 39 181
hits coming from paraguay, sweden, mexico etc
Learning about attacks very quickly.
Has anyone any advice?
Server currently offline will turn back on if needed
First of all, check whether it's infected by some kind of virus/malware which is attracting the hits.
Secondly, filter the list and obtain a list of IPs to send to your ISP for blocking at their end (useless blocking them at your end as you only have a small pipe and it will still be saturated).
You should be fine after that.
If that isn't small I'd get the ISP to blackhole all traffic aimed at the web-server IP for a while.. figure out whether there is anything wrong locally and if not (or when fixed) get the web server moved to another address.Secondly, filter the list and obtain a list of IPs to send to your ISP for blocking at their end
When reconnected after a day everything ok - thought i'd fixed it - until a fixed time when all attacks started again
Points to something on server attracting them
Looked at port activity, ran virus scans to no avail
Any ideas?
Which version of Moodle are you using?
Check you Moodle directory for any files which shouldnt be there, specifically look for any .php files which have been changed recently, or any files which were .html/.htm which are now .php
moodle vers 1.914
Have you found any new php files, are files edited recently?
I would suggest deleting your moodle install directory, save config.php before doing this, then stick a fresh copy of moodle in its place and add your config.php and replace any cutom blocks or code you have added.
I've heard of similar attacks on moodle....
Google has cached your Moodle site and tells me its 1.8.1, so i 99% gurantee moodle is your problem!
what exactly might these edits look like?????
I dont know exactly, without being able to look at your server /moodle directory, pm me ftp details and ill have a quick look if you like?.
Essentialy a number of .php files will either be added with similar names to existing Moodle files or existing files will be edited to include a line like below:
*/function tdo(){echo base64_decode('hu4fhr6jsbskai94
Can you do a grep for base64_decode?
Tried all above all virus/malware/rootkit sweeps blank
Internet provider has been very helpful has blocked main culprits
Used wireshark to grab packets attacking port 80 literally millions
Loads containing text 'you've been owned'
I would greatly appreciate any views on the following options;
Move server to a new external ip - but what attracted them in the first place?
Wipe server and reinstall - but if code is in php/asp web pages when they are restored will it all start again
Any other suggestions?
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote