Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Sun Dec 26, 2004 10:52 am Post subject: Slammed by worms
Just so you know, trinity's response time may be on and off since right now it's being slammed by various worms based on the Santy style exploits, inlining perl into bogus HTTP requests and the like. Unfortunately they're coming from everywhere and not just certain IPs, so it's going to take me some time to figure out how to block them.
Until then I'll do my best to try and keep the server responsive.
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Sun Dec 26, 2004 12:53 pm Post subject:
OK, the system was so slow not really because it was vulnerabel but because these PHPBB worms were slamming the server with requests of about one to two per second. They're actually being relesed pretty quickly by the script kiddies, too. I added in some additional filtering that should limit the impact of a number of these worm attacks, at least the ones that are just modded briefly by the script kiddies. The webserver will just return them a Forbidden access. This won't solve the incoming bandwidth, but it will at least prevent the database from being slammed and will handle the request correction quicker then the PHP code.
Since this theoretically can break some of the other URL requests on the server, please let me know if you find anything that's accidentally "Forbidden". Copy the full URL too so I can find where my regular expressions are wrong
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Mon Dec 27, 2004 5:52 am Post subject: More agressive URL filtering
OK, this server's still being hammered by these worms and their multiple variants. There seem to be now about 5 or so that keep banging this server. I'm still getting requests from these worms at least once a second. Stupid brazilian hackers I added in new filtering to weed out the worms from normal traffic. While the worms didn't do anything as the phpbb sid attacks don't work here, they still were bogging down the database. The filtering prevents PHP from even bothering to process requests that are coming from these worms. Since script kiddies and other hackers are making new ones of these daily the filters are now much more general and hopefully will keep the server responsive.
Be on the lookout for any broken links on trinity and please send me the full link.
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Mon Dec 27, 2004 8:56 pm Post subject: Traffic starting to lessen...
Now it's down to perhaps one worm hit every two secods (still an order of magnitude above normal server traffic) but now it's not doing anything significant except flooding the access log with 403 forbidden requests There are still new variants coming in though, and someone seems to be using this server as a "test case" for a new variant, which is quite disturbing. I still don't understand what thrill people get about writing something that attacks a volunteer effort. Sigh.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
I added in new filtering to weed out the worms from normal traffic. While the worms didn't do anything as the phpbb sid attacks don't work here, they still were bogging down the database. The filtering prevents PHP from even bothering to process requests that are coming from these worms. Since script kiddies and other hackers are making new ones of these daily the filters are now much more general and hopefully will keep the server responsive.