I'm being hacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
I was sharing a couple things I had made to my friends, via posting it on a forum, and it seems some extremely stupid people find it entertaining to ping\DDOS(or whatever people call it now) my servers\me. I was running a webserver(Apache), mySql server, IRC server (UnrealIRCD) and a Flash Media Interactive Server, and while I was at school today I wanted to show my friends something i had made when I noticed I couldn't connect to my website, well I could but it was loading at an extremely slow speed. So now I'm at home and I completely removed my port-forwards, and shutdown my server. Although I am still experiencing a slow connection to the internet. What steps should I take and how can I protect myself a little more?
 
Joined
Jul 12, 2008
Messages
1,710
Well, you can call your ISP to see if they can block some of that traffic downstream. You can have your router block anonymous WAN requests (pings). However, unless you're sure that your ISP allows you to run a server on their network, I'd be careful what you say.

You can always ask for a new IP.
 

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
Well I'm currently blocking anonymous WAN requests, but I don't want to have to constantly change my IP Address every time someone pings me(Which will probably be constant) I was wondering if there were any security feature of some sort that could protect me from this =S
 
Joined
Aug 1, 2003
Messages
51,988
Are you positive that this is what is happening? How do you know? What do your firewall logs tell you?
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,508
Are you positive that this is what is happening? How do you know? What do your firewall logs tell you?
Bingo. I was going to ask if the OP has any logs to prove he's being hacked. I would say if the OP was indeed under a DDOS, he wouldn't get squat from his server. Large corporations with huge servers in a server farm with lots of high bandwidth network devices in load balancing configurations can sometimes barely get anything to work when they are under a DDOS attack.

Also, I wouldn't go to your ISP for a problem like this unless you're willing to have them slap you for running a server on your home service plan. They may not care but then again they might.
 
Joined
Jul 12, 2008
Messages
1,710
If you're truly under a DDoS attack, you likely will have no connectivity without the intervention of your ISP blocking the packets somewhere downstream of you (probably at a trunk).

GRC went through this and documented it pretty well, you might want to read that. But logs would be nice.
 

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
Well I'm not sure why you want proof, its port 80, are you suggesting I report-forward and endure more of there attack to record some logs =S ?

I was just curious how I can protect myself a little more, I'm 16 and I sure as hell can't afford a server, and the 'free' ones are too slow for my need.
 
Joined
Jul 12, 2008
Messages
1,710
Not necessarily, your router is happy to produce logs of incoming traffic.

What kind of traffic are you being bombarded with? The attacks are coming on port 80? Like incomplete TCP sessions or something else? I've had a site on the receiving end of a DDoS and it's not remotely pretty. They managed to crush a dedicated server of mine on a 6mbit pipe.

Here's that info about GRC: http://web.archive.org/web/20051027174023/grc.com/dos/grcdos.htm

Thinking further: that doesn't sound like it's too bad if you have any internet connectivity. It's probably coming from one or two IPs, if you can produce those, it might be possible to stop the attack. However, an attack on port 80 will be almost impossible to stop if it's coming from a wide variety of IPs, since you can't block port 80 traffic.
 

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
I attached the log, I'm not sure if this is normal but there seems to be a lot of blocking.

Edit : Its not a big attack, just enough to slow my internet to a near dead stop.
 

Attachments

Joined
Jul 12, 2008
Messages
1,710
Well, looks as if you have some serious problems.

You're getting unsolicited, bogus packets to bogus ports that don't have any purpose. They're coming from all over the world.
 

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
I'm going to hope that's sarcasm D: But if thats the case, my only solution is to renew my IP Address or stop hosting my servers?
 
Joined
Jul 12, 2008
Messages
1,710
The majority of those connections are being made to 2222 which is a port exposed by a Trojan. However, it's possible that they're just probing it. You do have up to date versions of your server software as well as antivirus and firewall on all your computers.

However, you don't necessarily have a Trojan, it could just as easily be a random flood of packets trying to deny service to you. I find it odd that any individual's site/home server would be targeted by a DDoS, but I guess it's possible. Have you given your IP out at shady sites?
 

Jeremywilms

Thread Starter
Joined
Jun 29, 2008
Messages
70
Oh D: Yes well there is a virus currently installed on my computer, the problem being that my anti-virus isn't detecting it. I am aware that its there however i am unable to remove it, I posted my hijackThis log on this site, however no one has responded. My friend earlier suggested the virus may have set up some sort of proxy-server on my computer.

The good thing is, I've only given a dns I made away to my friends, and on a forum. I am however 100% sure I have a trojan, I just can't find a way to remove it. I can link you to my hijackThis thread if you need it.
 
Joined
Jul 12, 2008
Messages
1,710
Ok, well, I'm not "qualified" to help with that. Once you get that removed, we can see if you're really getting DDoSed or not.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,508
I don't see anything which would lead me to believe you're being hacked. The denial logs are showing the router is doing its job.

What we need to see is the connection successes. If you are really being DDoS'd over your web port of 80, you would see a bunch of successful initiated connections which are don't complete the proper TCP handshake. This leaves the router thinking the session is still open. As more connections like this get established, the router will quickly get overwhelmed as the amount of free memory it has gets consumed by all the open connections and the processing required to maintain those connection. The evil part of this type of attack is that the rogue connections don't timeout quick enough for the consumed resources to be released. Also, it's hard for rudimentary hardware to distinguish between a legitimate incoming http request from a rogue DDoS one.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top