is my site hacked - apache max client reaches in 1 minute after restart

ssomu007 · June 14, 2010, 4:12pm

all of sudden my website stopped working

when i try to restart apache - it stays for 1 to 5 minutes and site hangs.

tried all options to increase max clients and no use. when i increase max clients

site stays for some time and after that apache occupies all the allocated numbers and hangs.

tried restore site no use.

can someone help me.

Eric · June 14, 2010, 4:22pm

Howdy,

Your Apache server reaching the MaxClients doesn’t imply that your site is hacked… it may suggest that you’re getting lots of web traffic It’s also possible that a particular page on your site is taking a long time to complete (or some combination of the above!).

So, determining the problem… could your site have been advertised somewhere that generates a lot of traffic?

It’s also possible that it’s related to a denial of service attack.

What you can do is look in the Apache logfiles (~/logs/access_log), and see what sort of information is in there.

Do you see one particular IP address showing up repeatedly? If so, that IP may be causing the problem, and you may want to block them.

-Eric

ssomu007 · June 14, 2010, 6:12pm

Thanks Eric for responding to my question, this is first time i am on this forum,

i paid for a traffic service 2 weeks ago, do you think it is causing due to that
is there anything i can do to prevent this.

i collected 2 sets of ips,. pl see attchment using netstat command.

all these are with starting block as 114 or 118
is it possible thru virtualmin to block these and see if that solves issue

if not do i need to use iptables, i tried but it gave error i think i did not do correctly
see attched iptables file if i am doing anything wrong.

i wihch if there is a option to block range of ips / blcik individual ips in virtualmin
that is great if not do you know how to change iptables file

please help

ronald · June 14, 2010, 6:20pm

if you buy traffic then you get traffic.
is your server optimised to receive a lot of traffic?
If not you may want a HTML landing page as it would be serve up the quickest

Eric · June 14, 2010, 10:47pm

Well, I would probably try and spend some time figuring out what exactly those IP’s are accessing. Amongst other things, you can do as Ronald mentioned and put up a static HTML site if they’re hitting a particular part of your website hard.

However, if you’re looking to block some IP’s, there’s a number of ways to do that… an easy way is with the “route” command.

To block the 10.0.0.0 network, for example, you can type this command as root:

route add -net 10.0.0.0 netmask 255.0.0.0 reject

Just make sure you really don’t want that traffic before blocking the IP’s

-Eric