Solutions to php ddos attacks

Editor's note: In the idc server group under the red/Black alliance, one of the customer websites in the group is insecure. As a result, the ddos program of the php version has been passed in, and packet sending attacks have been carried out, occupying the server bandwidth, many websites or IDCs may encounter this problem. This article may make it easier for you.

Body:

In the past two days, my friend's windows 2003 Server has been experiencing a fault, in the form that the bandwidth is all occupied! The bandwidth occupied is also quite strange. Generally, DDOS attacks are attacked, and the traffic should be inbound, but he is outbound. Finally, let another friend say, it is the recent popular PHP-DDOS attack.

Diagram of php ddos bandwidth usage

Symptoms: When IIS is enabled, the server bandwidth is immediately full, which is the opposite of DDOS attacks. DDOS constantly receives a large number of packets;

Solution:
1. Service-Stop IIS
2. Set in c: \ windows \ php. ini

Disable_functions = export, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, ini_alter, listen, dl, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server, fsocket, fsockopen

3. Set the value to Off in c: \ windows \ php. ini.

Allow_url_fopen = Off

4. Check extension = php_sockets.dll before it;

; Extension = php_sockets.dll

Now you can restart IIS;

In addition, you can use the following methods to handle unencrypted php attack code:
In an IP policy or firewall, all udp packets are prohibited from being sent out.
Copy the following text to notepad, save it as banudp. bat or any name, and double-click it to run it.

Add security policy, name
Netsh ipsec static add policy name = my security policy
 
Add IP Filter list by REM
Netsh ipsec static add filterlist name = allowed list
Netsh ipsec static add filterlist name = reject list
 
Add the REM filter to the IP Filter list (allow Internet access)
Netsh ipsec static add filter filterlist = allow list srcaddr = me dstaddr = any description = dns access protocol = udp mirrored = yes dstport = 53
 
Add the REM filter to the IP Filter list (not accessible to others)
Netsh ipsec static add filter filterlist = reject list srcaddr = any dstaddr = me description = anyone else sends me any access to protocol = udp mirrored = yes
 
REM Add filter operation
Netsh ipsec static add filteraction name = Yes action = permit
Netsh ipsec static add filteraction name = no action = block
 
REM creates a link to specify the IPSec Policy, Filter list, and filter operation rules (add rules to my security policy)
Netsh ipsec static add rule name = allow rule policy = my security policy filterlist = allow list filteraction = Yes
Netsh ipsec static add rule name = deny rule policy = my security policy filterlist = deny list filteraction = No
 
REM activates my security policy
Netsh ipsec static set policy name = my security policy assign = y

You can also use the following patch: http://up.2cto.com/2011/0720/20110720095122690.rar
 

Double-click "udp. bat" to automatically create a security rule.
To check whether a security rule is successfully created, choose Start> program> Administrative Tools> Local Security Policy> IP Security policy. If "DropUDP" exists, the security policy is successfully created, if you are a Linux host, use iptables to create relevant rules.

To find the source address of this trojan:
Enter drive C: \ WINDOWS \ system32 \ LogFiles \ HTTPERR to open the latest log and search for port. If you can find the access record, you can find the station where the trojan is used to send packets.

How to find the source address of this trojan