e107 has virus, your phpnuke might go down as well

registered · Posted: Mon Jun 28, 2010 3:24 pm

Hi all,

today our apache went on his knees with 99.9% CPU

Investigation revealed a heavy attack to contact.php (anywhere) to compromise e107 based websites.

Although our Dragonfly CMS doesn't have such file, Apache couldn't handle all requests fast enough.

More info: [ Only registered users can see links on this board! Get registered or login! ]

Posted: Tue Jun 29, 2010 9:51 am

e107 fanboys went on the defensive. Not much to say on the topic but I know the server I'm hosted on hiccuped a little yesterday. Most likely the same sort of thing you experienced though my site wasn't the one getting clobbered with requests.

Posted: Sat Jul 03, 2010 8:19 pm

Hi Dj,

If I could, I'd make a few suggestions:

1, change from apf to csf(much more concise and supported firewall rules).

2, add mod_security to your apache build(if not already there).

3, add mod_prefork, which will allow you to limit the number of children able to be generated per connection.

If you tweak mod_prefork correctly and have csf enabled, each ip will have to make a number of connections in order to get any form of result from any attack.

By that time csf will catch them automatically for too many connections and block them.

mod_security is just a good idea.

now, I personally tweak the hell out of csf, and force it to not only block the ip via iptables, I also tell it to route block them.

route add {ip} reject
When you do this, the server no longer responds to their request at all.

When just done through iptables, the server replies with a "I can't talk to you" packet, thus still creating a 2 way communication.

With route blocking, the sending computer will get absolutely no reply(as if the server was offline), and then it will not be able to open a communication with the server, and no longer send requests.

Posted: Wed Jul 07, 2010 12:19 am

Thanks gregexp, we will look into it!