An interesting quandry....

This afternoon we caught a spammer using our system as a relay for hundreds of other machines through a php script that was uploaded through a script exploit on one of our clients websites.

Now the problem....

We've deleted the website, the DNS records on our server, and the doman registrar however despite these changes the hundreds of machines out there which used our server for thr relaying still find their way on to our server. This causes quite a large load issue as 50 requests per second are generated on this now non existant script.

The server load is not high, but our server shows 500 currently running processes, which tends to eat away at memory. Typically this server runs a steady 250 processes. I find i'm having to run several killall's on httpd throughout the day to free up the memory again once it dives into the swap.

23:51:53 up 6:20, 2 users, load average: 0.73, 2.84, 4.01
561 processes: 560 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 2.6% 0.0% 1.8% 0.0% 0.0% 1.5% 93.8%
cpu00 1.7% 0.0% 1.7% 0.0% 0.0% 1.3% 95.0%
cpu01 3.5% 0.0% 1.9% 0.0% 0.0% 1.7% 92.6%
Mem: 2055452k av, 1990016k used, 65436k free, 0k shrd, 114048k buff
1357124k actv, 263572k in_d, 33200k in_c
Swap: 1044144k av, 390708k used, 653436k free 372924k cached

My question is - since all these requests are coming from completely different IP addresses, there is no possible way to block them all without seriously affecting our other clients. Is there a way to deny acccess to a particular file on a server without having to generate a log for the denial (and therefore create an apache process) - but instead it just ignores all traffic to that URL?

I'm almost certain this was more an attack with the spam as a bonus. I don't believe this user actually has control over all those IP addresses being used from around the world - it's almost like this is an evil fakezilla version used to generate non-existant traffic.....

[Wed May 4 00:02:51 2005] [error] [client 24.152.245.243] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 24.55.244.239] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 24.55.244.239] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 207.59.45.83] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 207.59.45.83] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 80.250.181.17] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 80.250.181.17] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 220.225.96.54] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 220.225.96.54] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 195.209.66.199] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 195.209.66.199] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 194.85.140.36] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 194.85.140.36] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 213.134.211.170] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 213.134.211.170] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 82.54.112.91] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 82.54.112.91] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 81.0.88.96] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 81.0.88.96] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 81.73.189.250] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 81.73.189.250] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 213.186.187.162] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 213.186.187.162] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 193.219.58.58] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 193.219.58.58] File does not exist: /var/www/html/404.shtml
[Wed May 4 00:02:51 2005] [error] [client 217.132.79.210] File does not exist: /var/www/html/webadm/web.php
[Wed May 4 00:02:51 2005] [error] [client 217.132.79.210] File does not exist: /var/www/html/404.shtml


Your Thoughts would be appreciated....thanks

 

 

 

 

Top