DOS! Attack on vBulletin

[LoverZPoint]

Hello,

well my vbulletin is Under attack i have Contact With my Dedicated hosting provider and i tried DDOS protecting sheild's ETC! everything my dedicated server provider says they can't protect from internel Server attacks Like this its attacking from script to mysql

then some one told me to use litespeed webserver !

i got some screen shots here!


< my site was enabled as you can see in screen shot more then 600 requets in Processing ... those request creating load and attacking to mysql and as you can see its 92% Load on webserver.

on 2nd screen shot i have disabled site i mean forum..





all request going fine to server over 4,000 per/second to 10,000 requests and 0.50 Load...

So what should i do now to stop this f**king Attack!!!

[Lynne]

Take a look at your access_logs and see which script they were accessing. Maybe it was a modification and all you have to do is turn it off.

[snakes1100]

ssh into server, paste in below command and hit return on the kb.

iptables -I INPUT -p tcp -s pakbugs.com -j DROP

If it gives you cmd not found, locate iptables, sometimes if your profile isnt right.

/sbin/iptables -I INPUT -p tcp -s pakbugs.com -j DROP

nano /etc/rc.local and place the above cmd into the file before the "exit 0" and save the file, will be called on any reboot to always block that hostname, regardless of ip.

[LoverZPoint]

Quote:

Originally Posted by Lynne

Take a look at your access_logs and see which script they were accessing. Maybe it was a modification and all you have to do is turn it off.

Hello,

i have tried Everything ! Disable all plugins etc.. i also tried nginx Web server, Lighttpd, IIS, and now Litespeed ..

well all users access to index.php .... !
i was using before 3.7.2 i upgraded to 3.8.4 BUt no Luck!

[CarlitoBrigante]

You would need a very fast admin working throughout the time of the attack on your server to effectively limit the effects of the attack on the machine.

Mod evasive might also help, and even some software firewalls like APF have some auto-detection mechanism that can stop a small percentage of the attacks. Both are very easy to install, and free - but again, if the attacker knows what he is doing, they won't help much.

http://www.zdziarski.com/projects/mod_evasive/ (recommend reading: http://www.eth0.us/mod_evasive)
http://www.rfxn.com/?page_id=44

Mod Evasive can theoretically be left always on in your server, even after the attack, even though it must be carefully configured or it will stop legitimate connections and thus cut your traffic and annoy your users.

[Hell Bomb]

i would suggest installing view guests ip addresses and blocking individual ip addresses that are sending more then 100 requests a second.

[toonysnn]

Quote:

Originally Posted by snakes1100

ssh into server, paste in below command and hit return on the kb.

iptables -I INPUT -p tcp -s pakbugs.com -j DROP

If it gives you cmd not found, locate iptables, sometimes if your profile isnt right.

/sbin/iptables -I INPUT -p tcp -s pakbugs.com -j DROP


nano /etc/rc.local and place the above cmd into the file before the "exit 0" and save the file, will be called on any reboot to always block that hostname, regardless of ip.

If you have not already done so, I would suggest this. But, I'm assuming that the attack is over.