Apache Attack? A lot of readings

[fangionet]

Hi All.

First, Sorry for my bad english

On my server-status page i see this.


Current Time: Thursday, 09-Feb-2006 13:59:06 ART
Restart Time: Thursday, 09-Feb-2006 13:49:38 ART
Parent Server Generation: 0
Server uptime: 9 minutes 28 seconds
Total accesses: 8600 - Total Traffic: 54.4 MB
CPU Usage: u16.54 s2.57 cu0 cs.03 - 3.37% CPU load
15.1 requests/sec - 98.0 kB/second - 6.5 kB/request
123 requests currently being processed, 0 idle workers
RRRRRRRRRRRRRRRRWRRRRRRRRRRRRRRRRRWRRRRRRRRRRRRR.RRW.W.RRRR..RRR
RWRRR.RR..W..RR.RRRRRRR.RRWRRR.RRR..RRRRRR..RRW.RRR..WRRRR..W.RR
RRRRR.RRWRRRRRRRR..RR...........................................
................................................................

7-0 27765 0/20/20 R 0.01 0 0 0.0 0.05 0.05 ? ? ..reading..
8-0 27822 0/21/21 R 0.01 0 0 0.0 0.11 0.11 ? ? ..reading..
9-0 29413 0/0/6 R 0.11 0 0 0.0 0.00 0.09 ? ? ..reading..
10-0 27850 0/15/15 R 0.07 3 0 0.0 0.05 0.05 ? ? ..reading..
11-0 27874 0/5/5 R 0.01 0 0 0.0 0.02 0.02 ? ? ..reading..
12-0 27875 0/9/9 R 0.01 1 0 0.0 0.01 0.01 ? ? ..reading..
13-0 29419 0/1/8 R 0.00 0 0 0.0 0.00 0.09 ? ? ..reading..
14-0 27877 0/10/10 R 0.01 0 0 0.0 0.06 0.06 ? ? ..reading..
15-0 27896 0/11/11 R 0.02 0 0 0.0 0.02 0.02 ? ? ..reading..
16-0 27897 0/8/8 R 0.01 7 0 0.0 0.04 0.04 ? ? ..reading..
17-0 27898 0/11/11 R 0.00 0 0 0.0 0.04 0.04 ? ? ..reading..
18-0 27899 0/11/11 R 0.06 0 0 0.0 0.06 0.06 ? ? ..reading..
19-0 27900 0/5/5 R 0.07 0 0 0.0 0.05 0.05 ? ? ..reading..


I restarted apache, the server, all. reinstalled apache, it´s continue (3 hours) i beleve that is a attack. any idea?

I search on google but dont have nothing

Thanks!

 

[fangionet]

Please any ideas?
For the last 3 days the problem continues.

Thanks in advice

 

[wagnerch]

Originally posted by fangionet
Please any ideas?
For the last 3 days the problem continues.

Thanks in advice

I doubt you are going to find much advice, but 15 requests/sec is very high -- unless you are running a high volume web site.

I would recommend inspecting your access logs on all of your domains including the ones under /var/log/httpd/access*log and /home/httpd/vhosts/*/statistics/logs/access*log. I usually use the command below to watch the log files for a little while for any unusual activity:

tail -1f /var/log/httpd/access*log /home/httpd/vhosts/*/statistics/logs/access*log

If you have a lot of domains, then it will probably fail due to the shell expansion of the wildcard and the buffer limits.

Server status doesn't tell you much, it is a very "high level" view. Usually the sockets that are "..reading.." are in an intermediate state where they haven't established the client request yet. If that is the case then it is very possible someone is launching a DoS against your host.

http://www.directadmin.com/forum/showthread.php?threadid=11316

I also suggest, as in the thread, to install mod security and if you are being attacked via a DoS then firewall the attackers on your machine and have your upstream ISP firewall them as well.

You may want to hire a server admin as a consultant if your unsure of what needs to be done. Normally they will bill at an hourly rate, since things of this nature are very dynamic and can tend to take anywhere from 4 hours to 16 or more hours. I dealt with one host that was being attacked via a worm and it took around 4 hours to deal with the problems that were caused.