Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder howie2009's Avatar
    Join Date
    May 2009
    Location
    Ireland
    Posts
    204
    Thanks
    37
    Thanked 0 Times in 0 Posts

    Apache DoS attack or code issue?

    Hi Guys,
    I recently had a site hacked with a .js file injected into the code. I removed the offending code but now the website opens sooo slowly. If the apache server is restarted the website opens perfectly but after a few hours it returns to being veeerrrrrrrrrry slow again. I did a reverse dns lookup and the other sites on the server don't suffer this speed issue suggesting its not a DoS attack. Any ideas of how I get my site working fast again. It's a CMS built using expressionengine.
    Thanks

  • #2
    120
    120 is offline
    Regular Coder
    Join Date
    Nov 2009
    Location
    UK
    Posts
    105
    Thanks
    6
    Thanked 15 Times in 15 Posts
    First port of call is to take a look at the logs (in particular the error logs) and see if they shed any light on the issue. The injection of a rogue .js file (presumably through some XSS attack) would effect only client side and should not slow the server down par se. On the other hand, a large number of requests for it that don't close the connection may do just that.

    It may be that you are a victim of a simple reflected attack where miscreants have steered traffic to your site looking for that xss .js file (look in the (error) logs for anything calling <whateva>.js and now getting a 404 not found to confirm this scenario)

    OR..... Perhaps you have a rogue shell on the box, which can be a real PITA. On the plus side, any 'hacker' who has infiltrated your site and made it noticeably slow has done a very bad job which, one would hope, would be pretty straightforward to resolve.

    I'd probably make a note of the time when it is notably slow and look through the access and error logs paying attention to that time slot. A common trick is to put a backdoor or shell on the box by replacing a relatively unvisited file such as some trivial 'about' or language/notes file.

    Apache - despite its stability - is easy to hang if an instance gets too many requests that don't close. There is a common attack against Apache servers called 'slow loris' that makes use of this fact and can, quite literally, take a server down with very little bandwidth. If you have a reasonable number of requests for a missing file that don't close the connection, you can get a similar issue in some circumstances and I'd not be surprised to see a slowing on that particular fork/instance of Apache running the given virtual host.

    After all that long winded guff the keys to this are logs, logs and logs as your starter for ten. Pay attention to requests for what is *not* there or should not be being called with frequency + blocks of repeat IP addresses over and over that don't seem to fit with the normal 'flow' of a visitor.

    HTH
    Last edited by 120; 10-20-2010 at 08:57 PM.
    There is always plenty of idol work for the devils hands to do
    Registered Linux User 475075 : Project Honeypot

  • Users who have thanked 120 for this post:

    howie2009 (10-20-2010)

  • #3
    Regular Coder howie2009's Avatar
    Join Date
    May 2009
    Location
    Ireland
    Posts
    204
    Thanks
    37
    Thanked 0 Times in 0 Posts
    Thanks very much for taking the time to give such a comprehensive answer. I will look thru the logs and see whats up.
    Thanks again. Much appreciated!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •