2

Long story short we recently had an account on one of a shared hosts compromised, the issue has been resolved but the affected account is still being spammed with over a million requests a day to a specific file.

Since the compromising file is gone all requests are met with Apache's minimalistic 404 page, weighing in at about 521bytes. Problem is 512bytes * 1M+ requests is not only taking a toll on our servers performance but is wasting gigs of bandwidth a day.

  • The attacks from from hundreds of IP so blocking individual IPs isn't feasible.
  • All the requests are POST requests to the same file, lets call it "evil.php".

We tried briefly using a RewriteRule and forbidding all requests to evil.php but this showed a forbidden page leaving us where we started.

Ideally we want just drop the requests to "evil.php" and return nothing. Essentially stop Apache from responding. Is this possible and how?

Edit

Let assume for the sake of this exercise there is no shell access and all solutions must be implementable via a cPanel like interface. Although this isn't the case here, our freedom to make configuration changes to the server is small beyond LAMP stack, DNS (bind), and Mail configurations.

xzyfer
  • 323
  • 1
  • 5
  • 12

3 Answers3

2

mod_security, action "drop".

[pad chars for serverfault]

Phil P
  • 3,080
  • 1
  • 16
  • 19
0

What if you replaced "evil.php" with a zero-length file? At least in my install of Apache 2.2 that takes up only about 206 bytes (HTTP headers). A 404 takes up about 500 bytes. That would at least cut your traffic in half. For more advanced blacklisting, check out:

http://perishablepress.com/press/2009/02/03/eight-ways-to-blacklist-with-apaches-mod_rewrite/

Markus Iturriaga
  • 46
  • 2
  • That's an interesting idea. Do you know of a way to prevent Apache returning headers as well? Think you posted was interesting, but didn't help this current issue, I'll definitely keep it around though thank you. – xzyfer Jan 26 '11 at 05:48
0

You can create the evil.php file and host it on apache and return empty content (similar to Markus suggestion). At the same time, you can save the requesting IP in a text file. This text file can then by read by a script to add all these IPs to iptables rule to drop all future requests. This way you can collect all requesting IPs and stop them.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • We considered something similar to this, but we don't have access to ip tables or much else beyond LAMP stack, DNS (bind) and Mail configurations. – xzyfer Jan 26 '11 at 08:20
  • If you don't have access to a local or remote firewall. Then, you should coordinate with the responsible people and they should help! – Khaled Jan 26 '11 at 08:57