is my site hacked - apache max client reaches in 1 minute after restart

5 posts / 0 new
Topic locked
Last post
#1 Mon, 06/14/2010 - 11:12
ssomu007

is my site hacked - apache max client reaches in 1 minute after restart

all of sudden my website stopped working

when i try to restart apache - it stays for 1 to 5 minutes and site hangs.

tried all options to increase max clients and no use. when i increase max clients

site stays for some time and after that apache occupies all the allocated numbers and hangs.

tried restore site no use.

can someone help me.

Mon, 06/14/2010 - 11:22
andreychek

Howdy,

Your Apache server reaching the MaxClients doesn't imply that your site is hacked... it may suggest that you're getting lots of web traffic :-) It's also possible that a particular page on your site is taking a long time to complete (or some combination of the above!).

So, determining the problem... could your site have been advertised somewhere that generates a lot of traffic?

It's also possible that it's related to a denial of service attack.

What you can do is look in the Apache logfiles (~/logs/access_log), and see what sort of information is in there.

Do you see one particular IP address showing up repeatedly? If so, that IP may be causing the problem, and you may want to block them.

-Eric

Mon, 06/14/2010 - 13:12
ssomu007

Thanks Eric for responding to my question, this is first time i am on this forum,

i paid for a traffic service 2 weeks ago, do you think it is causing due to that is there anything i can do to prevent this.

i collected 2 sets of ips,. pl see attchment using netstat command.

all these are with starting block as 114 or 118 is it possible thru virtualmin to block these and see if that solves issue

if not do i need to use iptables, i tried but it gave error i think i did not do correctly see attched iptables file if i am doing anything wrong.

i wihch if there is a option to block range of ips / blcik individual ips in virtualmin that is great if not do you know how to change iptables file

please help

Mon, 06/14/2010 - 13:20
ronald
ronald's picture

if you buy traffic then you get traffic.
is your server optimised to receive a lot of traffic?
If not you may want a HTML landing page as it would be serve up the quickest

Mon, 06/14/2010 - 17:47
andreychek

Well, I would probably try and spend some time figuring out what exactly those IP's are accessing. Amongst other things, you can do as Ronald mentioned and put up a static HTML site if they're hitting a particular part of your website hard.

However, if you're looking to block some IP's, there's a number of ways to do that... an easy way is with the "route" command.

To block the 10.0.0.0 network, for example, you can type this command as root:

route add -net 10.0.0.0 netmask 255.0.0.0 reject

Just make sure you really don't want that traffic before blocking the IP's :-)

-Eric

Topic locked