higgalls Posted January 3, 2005 Posted January 3, 2005 Hey, I need some help. I am running 2.2 MS2 on a Windows Server (im moving to a Unix server within the next month). I have experienced massive spikes in my network traffic twice in the past month or so. The first time I had a peak up to about 50kb/s (I only have around 150-200 people coming per day to my site, so something that high is massive). The second time was only a week or so ago, but this time it lasted for a few days before we noticed. I ended up tracing it back to an IP address through my website statistics, and through the "who's online" page in the Admin section. That IP address had caused 1.3GB of traffic to my website, which is massive (this is over 3 days I think). When looking at the "Who's Online" section, I looked at the shopping cart contents of that person's IP address, and there was over $600,000 worth of stuff in the shopping cart. During the second attack, I renamed the Admin section (and totally stopped all access to that folder), but the attack continued (traffic was sitting at around 20kb/s, which is still WAY above normal). So, I figured out that the Admin folder is not where the attack is taking place. Because the person had shopping cart contents, it didn't seem like such a 'dodgy' attack as they were actually doing things to the site like a normal customer. In the first attack, my webhosting company stopped my website, and then restarted it, but the attack would still continue (it was also using up all the available RAM, and the 2 CPU's in the server were at 100% usage). Stopping the PHP did not seem to help at all. Does anyone have any idea how this could have happened? We ended up banning the IP address at the firewall (and shutting down the site for 12 hours), and it hasnt happened since then, but want to know how to stop it in the future. No files seemed to be changed either. Any ideas would be greatly appreciated. Cheers, Chris :)
boxtel Posted January 3, 2005 Posted January 3, 2005 Hey, I need some help. I am running 2.2 MS2 on a Windows Server (im moving to a Unix server within the next month). I have experienced massive spikes in my network traffic twice in the past month or so. The first time I had a peak up to about 50kb/s (I only have around 150-200 people coming per day to my site, so something that high is massive). The second time was only a week or so ago, but this time it lasted for a few days before we noticed. I ended up tracing it back to an IP address through my website statistics, and through the "who's online" page in the Admin section. That IP address had caused 1.3GB of traffic to my website, which is massive (this is over 3 days I think). When looking at the "Who's Online" section, I looked at the shopping cart contents of that person's IP address, and there was over $600,000 worth of stuff in the shopping cart. During the second attack, I renamed the Admin section (and totally stopped all access to that folder), but the attack continued (traffic was sitting at around 20kb/s, which is still WAY above normal). So, I figured out that the Admin folder is not where the attack is taking place. Because the person had shopping cart contents, it didn't seem like such a 'dodgy' attack as they were actually doing things to the site like a normal customer. In the first attack, my webhosting company stopped my website, and then restarted it, but the attack would still continue (it was also using up all the available RAM, and the 2 CPU's in the server were at 100% usage). Stopping the PHP did not seem to help at all. Does anyone have any idea how this could have happened? We ended up banning the IP address at the firewall (and shutting down the site for 12 hours), and it hasnt happened since then, but want to know how to stop it in the future. No files seemed to be changed either. Any ideas would be greatly appreciated. Cheers, Chris :) <{POST_SNAPBACK}> if the IP just adds a lot to their cart, that's not hacking, that's christmas shopping. Are you sure you are not enabling spiders to do some serious shopping ? Treasurer MFC
higgalls Posted January 3, 2005 Author Posted January 3, 2005 if the IP just adds a lot to their cart, that's not hacking, that's christmas shopping.Are you sure you are not enabling spiders to do some serious shopping ? <{POST_SNAPBACK}> But it has only happened twice, so I dont see how it could be a spider. And spiders do not add things to a shopping card does it? (it was adding things of different quantities also). But a spider will not cause 100% CPU usage across 2 CPU's (and we are talking about this attack lasting for 3 days in the latest instance of the attack). Also, if it was a spider, it would have timed out after a certain period of time (especially when we disabled the website, but once re-enabling the website the attack started going again with the first attack). I also tried seeing if the IP address went to a website, but it didnt. I also did a search on Google with the IP address, but didnt find anything linking it to any legitimate website. The IP Address was 69.42.73.75. I know that IP addresses can change, so obviously blocking it is only a temporarily fix. Cheers, Chris
boxtel Posted January 3, 2005 Posted January 3, 2005 But it has only happened twice, so I dont see how it could be a spider.And spiders do not add things to a shopping card does it? (it was adding things of different quantities also). But a spider will not cause 100% CPU usage across 2 CPU's (and we are talking about this attack lasting for 3 days in the latest instance of the attack). Also, if it was a spider, it would have timed out after a certain period of time (especially when we disabled the website, but once re-enabling the website the attack started going again with the first attack). I also tried seeing if the IP address went to a website, but it didnt. I also did a search on Google with the IP address, but didnt find anything linking it to any legitimate website. The IP Address was 69.42.73.75. I know that IP addresses can change, so obviously blocking it is only a temporarily fix. Cheers, Chris <{POST_SNAPBACK}> well, yes, spiders can add to the shopping cart. If the spider is not in your soiders.txt file, osc will issue it a sessionid and thus they can add to the cart. A reason to keep that file up to date. And even then, some spiders don't even use agents. Adding different quantities, strange, unless they add the same product twice which would increase the cart quantity. The RAM and cpu usage, I have no idea because that cannot be controlled by any client, just you. Might install bandwidth controllers for apache. And no, spiders will not simply go away because you disable the site for a while, they have no emotions. Ran a trace on the IP, no info Target: 69.42.73.75 Date: 1/3/2005 (Monday), 8:07:32 PM Nodes: 13 Node Data Node Net Reg IP Address Location Node Name 1 - - 192.168.0.1 24.000N, 120.000E CRYSTAL-LIGHT-SERVER 2 - - 0.0.0.0 Unknown No Response 3 - - 0.0.0.0 Unknown No Response 4 - - 0.0.0.0 Unknown No Response 5 - - 0.0.0.0 Unknown No Response 6 - - 0.0.0.0 Unknown No Response 7 - - 0.0.0.0 Unknown No Response 8 - - 0.0.0.0 Unknown No Response 9 - - 0.0.0.0 Unknown No Response 10 - - 0.0.0.0 Unknown No Response 11 - - 0.0.0.0 Unknown No Response 12 - - 0.0.0.0 Unknown No Response 13 1 - 69.42.73.75 Unknown Packet Data Node High Low Avg Tot Lost 1 0 0 0 1 0 2 ---- ---- ---- 2 2 3 ---- ---- ---- 2 2 4 ---- ---- ---- 2 2 5 ---- ---- ---- 2 2 6 ---- ---- ---- 2 2 7 ---- ---- ---- 2 2 8 ---- ---- ---- 2 2 9 ---- ---- ---- 2 2 10 ---- ---- ---- 2 2 11 ---- ---- ---- 2 2 12 ---- ---- ---- 2 2 13 268 268 268 1 0 Network Data Network id#: 1 OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US Registrant Data Treasurer MFC
bglkk Posted January 3, 2005 Posted January 3, 2005 1.3GB over three days is not enough traffic to cause 100% CPU usage across two CPUs, something else is going on. Appears to be originating from a hosting company, maybe you could contact them. "Buy the ticket, take the ride..." -HST
chiefwes Posted January 3, 2005 Posted January 3, 2005 Search results for: 69.42.73.75 OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US NetRange: 69.42.64.0 - 69.42.95.255 CIDR: 69.42.64.0/19 NetName: WEBAIRINTERNET2 NetHandle: NET-69-42-64-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS.WEBAIR.NET NameServer: NS2.WEBAIR.NET Comment: RegDate: 2003-04-25 Updated: 2004-01-22 NOCHandle: ZW64-ARIN NOCName: IPAdmin-Webair NOCPhone: +1-516-938-4100 NOCEmail: [email protected] OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail: [email protected] OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail: [email protected] # ARIN WHOIS database, last updated 2005-01-02 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
Guest Posted January 3, 2005 Posted January 3, 2005 contact them via phone (email usually works best) and see what they say
higgalls Posted January 3, 2005 Author Posted January 3, 2005 contact them via phone (email usually works best) and see what they say <{POST_SNAPBACK}> Yeah I think I might email them later today/tonight when I get the time, and see if they can give me anymore insight to what might have been happening. I know the first attack definately cause the CPU usage to peak up to about 100% for a while (well between 90% and 100%), and as soon as they stopped my website it would return down to normal levels, and then my website is started again, it would start peaking at high levels again. My webhosting company took screenshots for me. Im not sure whether the second attack caused the CPU's to peak near 100% or not though. As for the shopping cart contents, some had a quantity of 1, some had a quantity of 2, and some had a quantity of 3. Below is the stats of my website between the dates of 20th of December and 31st of Demeber (the attacks were on the 24-26th of December): 20 Dec 2004 234 3211 10811 126.48 MB 21 Dec 2004 204 3088 9808 168.72 MB 22 Dec 2004 242 3109 10748 229.04 MB 23 Dec 2004 195 2672 8735 272.65 MB 24 Dec 2004 128 2433 6587 354.22 MB 25 Dec 2004 216 9258 14608 647.60 MB 26 Dec 2004 283 9741 15569 571.56 MB 27 Dec 2004 247 4437 11422 172.97 MB 28 Dec 2004 256 2623 12699 106.66 MB 29 Dec 2004 207 2109 9323 85.29 MB 30 Dec 2004 188 1457 8313 65.35 MB 31 Dec 2004 155 1709 7482 67.35 MB If you notice in the stats above, the Bandwidth increased greatly, but the visits did not really increase. Cheers, Chris :)
user99999999 Posted January 3, 2005 Posted January 3, 2005 Those days would have been the sanity worm or variants attacking your site. An unknown spider/bot/etc can add stuff to the cart with the buy now button since it is only a link and not in a form.
bglkk Posted January 3, 2005 Posted January 3, 2005 Hi: It would be interesting to see the hourly bandwidth usage report for those three days. I'm amazed that 647.60MB of bandwidth in one day could push dual CPUs that hard. I guess it depends on how concentrated the attacks were...but still, that just isn't that much total bandwidth. As point of reference, my RH Linux server with its modest little site is averaging roughly 1.5GB a day on a single old AMD Athlon XP 1800+, and it never breaks a sweat (CPU usage typically around 4.0-4.5%). I just wonder if your server does not have some issues. "Buy the ticket, take the ride..." -HST
♥Vger Posted January 3, 2005 Posted January 3, 2005 I just wonder if your server does not have some issues. Well, it depends how many other sites are on that server, and whether or not they were all under attack by the Santy worm, or the phpInclude worm at that time. What's msot important is to find out what version of php the server is running. If it's 4.3.9 or lower then it remains open to attack by the phpInclude worm. Only 4.3.10 and 5+ are deemed safe - but even they are at risk if they are running any insecure scripts on them, or if register_globals is enabled. The site wasn't being 'hacked' by that ip address. That belongs to a web hosting company which allows its users unlimited bandwidth allowance, so it wasn't someone hotlinking images/files or whatever (no need for it). Far more likely that the other server was being used to send out the Santy worm after being compromised itself. Vger
higgalls Posted January 3, 2005 Author Posted January 3, 2005 Well, it depends how many other sites are on that server, and whether or not they were all under attack by the Santy worm, or the phpInclude worm at that time. What's msot important is to find out what version of php the server is running. If it's 4.3.9 or lower then it remains open to attack by the phpInclude worm. Only 4.3.10 and 5+ are deemed safe - but even they are at risk if they are running any insecure scripts on them, or if register_globals is enabled. The site wasn't being 'hacked' by that ip address. That belongs to a web hosting company which allows its users unlimited bandwidth allowance, so it wasn't someone hotlinking images/files or whatever (no need for it). Far more likely that the other server was being used to send out the Santy worm after being compromised itself. Vger <{POST_SNAPBACK}> Just found out that the server has PHP 4.3.4 on it (bit of a dinosaur). I believe Register_globals is enabled because otherwise my site doesn't work. Cheers, Chris :)
higgalls Posted January 3, 2005 Author Posted January 3, 2005 Also, I do have phpbb2 forums running (which the sanity worm attacks), but it has been patched to stop the vulnerability that the sanity worm was using. So I dont think it could have been that worm, unless there is a varient of the sanity worm that attacks oscommerce (instead of phpbb2). Cheers, Chris :)
user99999999 Posted January 3, 2005 Posted January 3, 2005 The phpinclude worm attacked all php pages, I saw it on the 25th.
♥Vger Posted January 3, 2005 Posted January 3, 2005 Unfortunately osCommerce has a function called 'unserialize' (you'll see it in your files as 'decode'),which is vulnerable to the phpInclude worm. However, I can't find out if it's actually used anywhere - so may be safe after all. The only protection is to have php 4.3.10 or php5 on the server, lock down the 'admin' behind ssl, and if you have your own local php.ini file to turn off Register Globals in that and install the register_globals contribution. Vger
higgalls Posted January 5, 2005 Author Posted January 5, 2005 Search results for: 69.42.73.75 OrgName: Webair Internet Development Inc OrgID: WAIR Address: 333 Jericho Tpke Address: Suite 200 City: Jericho StateProv: NY PostalCode: 11753 Country: US NetRange: 69.42.64.0 - 69.42.95.255 CIDR: 69.42.64.0/19 NetName: WEBAIRINTERNET2 NetHandle: NET-69-42-64-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS.WEBAIR.NET NameServer: NS2.WEBAIR.NET Comment: RegDate: 2003-04-25 Updated: 2004-01-22 NOCHandle: ZW64-ARIN NOCName: IPAdmin-Webair NOCPhone: +1-516-938-4100 NOCEmail: [email protected] OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail: [email protected] OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail: [email protected] # ARIN WHOIS database, last updated 2005-01-02 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. <{POST_SNAPBACK}> Ive emailed them to see if they know what was going on, so maybe they will be able to show some more insight into why this happened. The new Unix server I am transfering my site to, has PHP 4.3.10, so it looks like it will be fine for the php.Include worm. Cheers, Chris :)
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.