Mystery infestation strikes Linux/Apache Web sites
> "According to cPanel, if you are unable to create a directory name beginning with a numeral – as in mkdir 1 -- you're infected. Another test is to monitor the packets from the server with the following tcpdump command:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]{5}.js'"
One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."
James
6 Replies
# rate limit incomig port 22 connections
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
That will limit the number of connections coming from one IP to two per minute. Anything more and it gets blocked. If they keep on hitting it, it stays blocked. Best of all, access from your own IP is not affected.
–deckert
get fwbuilder to manage your IP tables with ease
make sure you dont run your apache as root
read milion other tips on google about securing your apache webserver