who is spd-offline.ask.com???

Portal Home > Knowledgebase > Articles Database > who is spd-offline.ask.com???

Posted by dankyz, 10-03-2008, 10:13 AM
hi i get a problem , when i start my apache server, I got more than 50 connections from spd-offline.ask.com, and these 50 connections will open 50 mysql also , and then my apache is very very slowly.... Can someone help me out how to block this guy.... thanks and best regards.
Posted by ub3r, 10-03-2008, 10:16 AM
whats the ip address?
Posted by dankyz, 10-03-2008, 10:19 AM
bash-3.1# ping spd-offline.ask.com ping: unknown host spd-offline.ask.com my server IP is 216.32.75.X
Posted by Patrick, 10-03-2008, 10:25 AM
It's probably an outdated reverse DNS entry on an IP address that's connecting to you. Maybe the IP address is legitimate, maybe it's not... next time it happens try the following (I think this will work under Linux): netstat -n | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n or netstat -n | grep :3306 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n If it's opening "50" connections then it should be easy to figure out the IP address in question unless they close the sockets before you have a chance to run those commands, or you have a busy server in which case you'll have to check the Apache access-logs.
Posted by dankyz, 10-03-2008, 10:32 AM
hi pat, thanks for the two command , now i get these two IP address. 1 209.132.176.120 1 209.132.176.69 so what shall i do ? vi host.deny ? vi httpd.conf ? or iptables? which one can block this guy completely ? thanks.
Posted by Patrick, 10-03-2008, 10:41 AM
Those are most likely not the IP addresses you want to block. You'll have to wait until they open those "50" connections again and then run the netstat command ASAP, and hopefully you'll be able to catch the IP address in time. You'll notice those IP addresses have only 1 open TCP socket, what you're looking for is an abnormality, basically where everything else is low but one IP address is drastically higher. For example, something like this: 1 209.132.176.120 1 209.132.176.69 5 209.132.176.66 13 209.132.176.65 55 xxx.xxx.xxx.xxx The unusually high number is what you're looking for. Once you have that IP address, do a host xxx.xxx.xxx.xxx (the IP address) and see if it returns spd-offline.ask.com, otherwise it's not the right IP address you're looking for. Do you have suPHP installed or when you notice Apache is slow after you start it, does a ps aux show a lot of PHP processes?
Posted by dankyz, 10-03-2008, 10:44 AM
Da.... 1 128.61.111.9 1 209.132.176.120 1 209.132.176.69 104 it's a blank behind 104... when i run ps aux : more than 100 like this nobody 5995 0.3 0.5 27176 15572 ? S 10:07 0:00 /usr/local/apache/bin/httpd -k start n more than 50 like this mysql 6152 12.2 1.1 83108 36440 ? S 10:09 0:01 /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/us and this is the result of netstat -a after i shut down apache. tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39629 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42446 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39630 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:46813 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:41611 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42133 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42134 LAST_ACK tcp 1 36201 fansro5.servidores.ws:http spd-offline.ask.com:37021 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:41625 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:38518 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:41805 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:44874 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:40022 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:45393 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:45139 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:40028 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42335 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:44836 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42277 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39200 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39212 LAST_ACK tcp 1 36201 fansro5.servidores.ws:http spd-offline.ask.com:36916 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:42804 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39217 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:44594 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:38460 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:39230 LAST_ACK tcp 1 36201 fansro5.servidores.ws:http spd-offline.ask.com:35077 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:41223 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:41219 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:38430 LAST_ACK tcp 1 1 fansro5.servidores.ws:http spd-offline.ask.com:38431 LAST_ACK . . . . . . (more than 50 lines) I have not install suphp , the server installed fedora6+apache2.0.63+php5.2.6.. thanks... Last edited by dankyz; 10-03-2008 at 10:56 AM.
Posted by dankyz, 10-03-2008, 11:35 AM
does anybody can help me out of block this attack??? thanks.
Posted by ub3r, 10-03-2008, 11:47 AM
take ip address, run 'whois ipaddress', contact the people who own the ip block.
Posted by dankyz, 10-03-2008, 12:48 PM
well, i analyzed apache logs and get some result. i just own a small blog usually it has around 2500 visitors everyday. and In yesterday , IP 65.214.36.73 Access 23147 pages and i checked this IP , it's come from robot Teoma(ask.com?) so how to block this IP or whole ask.com robot ? thanks in advance.

Add to Favourites Print this Article