-3

Possible Duplicate:
My server's been hacked EMERGENCY

I'm getting millions of these requests in my Apache access log. How do I stop them?

173.59.227.11 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416620414 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
173.72.197.39 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416641552 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
2.222.7.143 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416647004 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
62.83.154.11 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416572373 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
65.35.221.207 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416453921 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BOIE8;ENUS)"
68.40.182.244 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338415880184 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
99.244.26.33 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338384208421 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
65.12.234.229 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338415812217 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
173.59.227.11 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416620415 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
68.40.182.244 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338415881181 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
188.82.242.197 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338414398872 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0"
99.244.26.33 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338384208454 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
173.59.227.11 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416620424 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
68.40.182.244 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338415882180 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
65.12.234.229 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338415812229 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
95.34.134.51 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416367865 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"
65.35.221.207 - - [30/May/2012:18:23:45 -0400] "GET /?id=1338416453937 HTTP/1.1" 200 28 "http://108.166.97.22/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BOIE8;ENUS)"

How can i filter GET requests containing "http://108.166.97.22/" ?

Community
  • 1
E3pO
  • 13
  • 4
  • Can you block specific IP addresses via your web server? – GaTechThomas May 30 '12 at 22:29
  • I've been going through 1 by 1... e3po@kendrax:/opt/1tb/train$ sudo iptables -A INPUT -s 178.13.39.216 -j but it's not enough! There are thousands of IP's!??? – E3pO May 30 '12 at 22:30
  • 3
    Is this "attack" causing any actual harm to the server? – Chris S May 30 '12 at 22:57
  • Mysql is running at 130%, apache is unresponsive to requests, etc! But It's fixed now thanks to smin's answer. I've also installed fail2ban, thanks guys! – E3pO May 30 '12 at 23:09

4 Answers4

3

From your apache logs, that IP is the referrer for the request. You could reject packets containing this text using the iptables string match module:

iptables -I INPUT -m string --algo bm --string '108.166.97.22' -j REJECT
smin
  • 771
  • 4
  • 5
  • Perfect, :) Solved it! – E3pO May 30 '12 at 23:10
  • Solved only until the attacker uses a different IP address. No, it's not solved, merely postponed for a while. – John Gardeniers May 31 '12 at 00:16
  • Indeed! User just changed to another ip and had a much more powerful attack. My entire network went offline, had to unplug the router before my box became responsive again. – E3pO May 31 '12 at 02:26
2

fail2ban will scan your Apache log files for malicious activity and block offending IPs at the firewall level. You can configure it to look for specific patterns (in your case, this is easy).

You can find information on using fail2ban with Apache on their website.

I haven't tested it, but something like this should do the trick.

failregex = <host>.*108\.166\.97\.22.*

You can test a regex before applying it; see here for details on testing failregexes for fail2ban.

1

Add iptables rules to drop incoming packets from the source IP addresses that you suspect are attacking you. For example, to drop all incoming packets from source IP 123.123.123.123:

iptables -I INPUT -s 123.123.123.123 -j DROP

And to remove a rule:

iptables -D INPUT -s 123.123.123.123 -j DROP

To automate this, you can use Fail2ban, which will also work with other services besides just Apache. Most distros have Fail2ban in the package management system already, so it should be a breeze to install.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

Richard Keller
  • 2,270
  • 2
  • 18
  • 31
1

You could use the following script run every minute from a cronjob to ban those IPs that are hitting your web server way too many times.

cat access_log \
   | awk -F' ' -v temper=0.20 '
      // {
         bad_ips[$1]++
      }

      END {
         max_hits = 0;

         for (bad_ip in bad_ips)
            if (max_hits < bad_ips[bad_ip])
               max_hits = bad_ips[bad_ip];

         for (bad_ip in bad_ips)
            if ((max_hits - bad_ips[bad_ip])/max_hits <= temper)
               system("iptables -I INPUT -s " bad_ip " -j DROP")
      }'

You could build in a check to see if the IP you are trying to block has already been blocked, or alternatively, force a logrotate using logrotate -f to start the access_log afresh.

If this is a distributed attack, like it seems to be, then you'll not want to block these IP addresses permanently, but only temporarily as the zombies may wake up when the attack ceases. If you continue blocking, you may block out your normal users!

If you are running anything of significance, try talking to your ISP for help as well. They may be able to identify and block specific traffic or enable some form of IDS before the traffic chews up your bandwidth.

NB: fail2ban is a great solution too. If you've got that working since you posted this question, then keep that instead of this hack.

nearora
  • 445
  • 2
  • 8