[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] webserver down
- Subject: [cobalt-security] webserver down
- From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>
- Date: Sun, 24 Mar 2002 01:44:47 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I have a big problem that brings my web server down and that is 200-300
connections from inside the server. It takes all the memory and the CPU.
Taking a netstat it shows 200-300 like this (same Ip on both side):
cp 0 0 213.225.xx.xx:3923 213.225.xx.xx:80
ESTABLISHED 7219/httpd
tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3922
ESTABLISHED 7219/httpd
tcp 0 0 213.225.xx.xx:3922 213.225.xx.xx:80
ESTABLISHED 7218/httpd
tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3921
ESTABLISHED 7218/httpd
tcp 0 0 213.225.xx.xx:3921 213.225.xx.xx:80
ESTABLISHED 7216/httpd
tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3920
ESTABLISHED 7216/httpd
tcp 0 0 213.225.xx.xx:3920 213.225.xx.xx:80
ESTABLISHED 7214/httpd
tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3919
ESTABLISHED 7214/httpd
tcp 0 0 213.225.xx.xx:3919 213.225.xx.xx:80
ESTABLISHED 7212/httpd
Typing a ps -l "pid" on any of the 2-300 ps shows:
root# ps -l 7104
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
140 S 15 7104 1 0 60 0 - 3695 do_sel ? 0:00
/usr/sbin/httpd -f /etc/httpd/conf/http
Is there someone who could help me with a way to localize where and who
starts this processes?
And is there a way to limit the amount of connections made by something like
this script or what ever doing this.
When restarting the server it only takes a few minutes until there are
200-300 connections like this.
I have been forced to shut down the web server on this raq until I can find
a way to stop this "attack"
Regards
K schantz
euroweb
Norway