• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Network Gurus, how do I track down an attack on my site?

N

nzimmers

Member
hey guys, if any of you are sys admins and have experiance with this I would appreciate it: I am a total neophyte, although I have setup my own server (win 2003) and have a site running php/mysql.

the webstie I run is on a small personal machine, which allows me to have a blog and do podcasting and streaming audio.

The website I host is highly critical of a cmaopny in Japan that recruits in the UK, US, and Australia. (if any of you are thinking of working for NOVA in Japan....don't do it!)


anyways, yesturday, my server (whch is behind a router and firewall that only has port 80 forwarded to the server) had multiple conecitons sweeping the ports, over 200KB/s of activity which was maxing out my conneciton completely....kind of like a DOS attack....not sure....by my Hard drive was going like crazy, never heard anything like that.

There are "for-profit" recruiters for this company in Australia (which is where the attack's IP originates from" and I'm sure they don't like my site at all, so I feel it's likely they put someone up to this.

I have sent the ISP an email and now I have a secondary software firewall running but I am not sure that is enough

any advice on how I proceed from here? I want to

a) protect my server and keep my 'anti-Nova japanese company in Japan that exploits americans" website up.

b) find out who these Moe-Foes are and take legal action against them if possible

thanks guys

 
Was it a one-time attack (i.e. hasn't happened before and hasn't happened since)?

If so, it could just as easily have been some script kiddie playing around thinking he's a 'l337 haxor d00d' as it could be an intentional attack against your site. You have already contacted the originating ISP, and it's pretty much up to them to do something about it.

It's also possible it was just a virus doing random port scans, which happens all day every day for many people. My router blocks about 500-2000+ random 'probes' per day on my IP address, and I don't even run a web host on it any more (hasn't been hosted locally for more than a year).

If there was any criminal action taken (stolen ID, money, etc.), or intentional damage done to the site, then you could also contact the authorities but it's not likely they would be able to do anything unless it was an obvious, and repeated, attack.
 
I've had poor luck with complaining to ISP's about malicious activity (even after providing lengthy logs of attempted brute-force attaks). I usually examine the activity and depending where the source IP is originating from, i may block an individual IP or an entire block.

Since you're running Windows Server 2003 you can expect to get hit with every known exploit by some assclown. Make damn sure you're updates are happening right away.

Since you said your HD was freaking out and your connection was maxed out take a GOOD look at your IIS logs and figure out what the hell was going on (if it was logged..).

Also, you may want to think about turning off ICMP requests on your router if someone is trying to flood you with ping requests.

On the IIS5 & 6 servers i'm running i also have SecureIIS installed (well, actually the guy i work with installed it - i mostly deal w/ my Slackware server). Anyway, it's a decent package.

http://www.secureiis.com/html/

- hth
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top