1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Apache Attack? A lot of readings

Discussion in 'Plesk for Linux - 8.x and Older' started by fangionet, Feb 9, 2006.

  1. fangionet

    fangionet Guest

    0
     
    Hi All.

    First, Sorry for my bad english :(

    On my server-status page i see this.


    Current Time: Thursday, 09-Feb-2006 13:59:06 ART
    Restart Time: Thursday, 09-Feb-2006 13:49:38 ART
    Parent Server Generation: 0
    Server uptime: 9 minutes 28 seconds
    Total accesses: 8600 - Total Traffic: 54.4 MB
    CPU Usage: u16.54 s2.57 cu0 cs.03 - 3.37% CPU load
    15.1 requests/sec - 98.0 kB/second - 6.5 kB/request
    123 requests currently being processed, 0 idle workers
    RRRRRRRRRRRRRRRRWRRRRRRRRRRRRRRRRRWRRRRRRRRRRRRR.RRW.W.RRRR..RRR
    RWRRR.RR..W..RR.RRRRRRR.RRWRRR.RRR..RRRRRR..RRW.RRR..WRRRR..W.RR
    RRRRR.RRWRRRRRRRR..RR...........................................
    ................................................................

    7-0 27765 0/20/20 R 0.01 0 0 0.0 0.05 0.05 ? ? ..reading..
    8-0 27822 0/21/21 R 0.01 0 0 0.0 0.11 0.11 ? ? ..reading..
    9-0 29413 0/0/6 R 0.11 0 0 0.0 0.00 0.09 ? ? ..reading..
    10-0 27850 0/15/15 R 0.07 3 0 0.0 0.05 0.05 ? ? ..reading..
    11-0 27874 0/5/5 R 0.01 0 0 0.0 0.02 0.02 ? ? ..reading..
    12-0 27875 0/9/9 R 0.01 1 0 0.0 0.01 0.01 ? ? ..reading..
    13-0 29419 0/1/8 R 0.00 0 0 0.0 0.00 0.09 ? ? ..reading..
    14-0 27877 0/10/10 R 0.01 0 0 0.0 0.06 0.06 ? ? ..reading..
    15-0 27896 0/11/11 R 0.02 0 0 0.0 0.02 0.02 ? ? ..reading..
    16-0 27897 0/8/8 R 0.01 7 0 0.0 0.04 0.04 ? ? ..reading..
    17-0 27898 0/11/11 R 0.00 0 0 0.0 0.04 0.04 ? ? ..reading..
    18-0 27899 0/11/11 R 0.06 0 0 0.0 0.06 0.06 ? ? ..reading..
    19-0 27900 0/5/5 R 0.07 0 0 0.0 0.05 0.05 ? ? ..reading..


    I restarted apache, the server, all. reinstalled apache, it´s continue (3 hours) i beleve that is a attack. any idea?

    I search on google but dont have nothing :(

    Thanks!
     
  2. fangionet

    fangionet Guest

    0
     
    Please any ideas?
    For the last 3 days the problem continues. :(

    Thanks in advice
     
  3. wagnerch

    wagnerch Guest

    0
     

    I doubt you are going to find much advice, but 15 requests/sec is very high -- unless you are running a high volume web site.

    I would recommend inspecting your access logs on all of your domains including the ones under /var/log/httpd/access*log and /home/httpd/vhosts/*/statistics/logs/access*log. I usually use the command below to watch the log files for a little while for any unusual activity:

    tail -1f /var/log/httpd/access*log /home/httpd/vhosts/*/statistics/logs/access*log

    If you have a lot of domains, then it will probably fail due to the shell expansion of the wildcard and the buffer limits.

    Server status doesn't tell you much, it is a very "high level" view. Usually the sockets that are "..reading.." are in an intermediate state where they haven't established the client request yet. If that is the case then it is very possible someone is launching a DoS against your host.

    http://www.directadmin.com/forum/showthread.php?threadid=11316

    I also suggest, as in the thread, to install mod security and if you are being attacked via a DoS then firewall the attackers on your machine and have your upstream ISP firewall them as well.

    You may want to hire a server admin as a consultant if your unsure of what needs to be done. Normally they will bill at an hourly rate, since things of this nature are very dynamic and can tend to take anywhere from 4 hours to 16 or more hours. I dealt with one host that was being attacked via a worm and it took around 4 hours to deal with the problems that were caused.
     
Loading...