Server under DoS attack for the last 3 days

[phidias81]

I'm on a cheap shared hosting, I've been with them for a couple of years and I was quite satisfied. Now they are having the biggest problem I encountered so far. It's already 3 days that the server is under DoS attack, and it looks like that are not able to manage the situation. My website went live for a few hours or minutes during these days, but then the attack is starting again later.
When I first asked for explanations they told me "It appears that your site is coming under a massive DoS attack and this is affecting the whole cloud server."
So I would interpret this as if it was my site to be targeted by the attack? I would consider it strange, since it's just a personal travel blog that has no enemy and it's not competing with any big fish.
Is there anything I can do?
If it's for real my website that is targeted, If I would move to another server-hosting, it would solve the problem, or the attack would be "automatically" transferred to the new server? Thank you

[SharkyKZ]

If it's for real my website that is targeted, If I would move to another server-hosting, it would solve the problem, or the attack would be "automatically" transferred to the new server?

Since you're on shared hosting, they must be targeting your domain and not IP address. So the attack would continue even on another host/IP address. But better hosts have DDoS protection.

You can implement firewall/DDoS protection on your site or use a service like CloudFlare.

Have you checked the logs? Which parts of your sites are being attacked? Is it login form? Maybe some specific extension?

[phidias81]

I already use Cloud Flare (The free part) but it looks like the only help is that it's showing a copy of my homepage. As for the other questions I don't know, because I have no access to cpanel and I sincerely am not that "advanced" to understand this details

[JAVesey]

Are they attacking your fronted or the admin section?

I had an issue with the latter, so installed AdminExile to mask the Admin URL. Works well. This also has "brute force" protection included. If you're not using it then give it a go. Excellent extension in my experience.

[phidias81]

I haven't tried the backend, for sure the frontend was not accessible. My url is already masked with another plugin, and I have several security plugins installed for brute force, injections, etc.
In this moment the attack stopped, and my host migrate the accounts to a different server, so now i's working. Let's see for how long will it work

[leolam]

This is your weak server environment. I believe we have pointed this out to you several times in other posts. As stated multiple times before with all your hacks posted : You host sucks" and change host!

Leo

[phidias81]

Updates: It looked like the attack stopped after the third day, but now I started again 2 days ago, and still going on. This despite I was moved to a different server, so it looks like they are really targeting my website, and I don't understand why.

If I look for a new host, how can I understand if they will be able to manage DoS attacks or not?

[exhug]

Updates: It looked like the attack stopped after the third day, but now I started again 2 days ago, and still going on. This despite I was moved to a different server, so it looks like they are really targeting my website, and I don't understand why.

If I look for a new host, how can I understand if they will be able to manage DoS attacks or not?

use ddos protection by cloudflare payed it will stoped for:
it will Checking your browser before accessing for 5sec to stop the attack and you can block range ip 90% are china bots.

[phidias81]

Well, that's really out of my budget. It cost 200$ per month, and consider I don't make any money with my website and I pay around 1€ per month for my shared hosting

[leolam]

Nobody asks you to pay so much money for hosting but you get what you pay fro with Euro 1/month;y..Crap in security and that is why you are already putting assist requests in for month's now due to hacks , attacks and all kinds of crap and that will continue unless you will finally admit that cheap or almost free hosting is PITA!

With all respect based on your history of posts here it makes no sense to pride support with such weal hosting solutions you think you can rely on.... The only one responsible for the problems you have been facing for month's now is you!

Leo

[linuxwebman]

Hi Friends!


Through it !!!


1- Did the following: LOCK these suspicious IPs! BAN !!!
* PS: CAUTION to not lock! Lol ... Check first of all the IP of your computer! : D


Joomla has a very good file showing: errors and intrusion attempts. And the best: IPs !!!

This place is where it is:

/logs/error.php

There is thus displayed:

==========================================================


#
# <? php die ('Forbidden.'); ?>
#Date: 24/05/2013 01:53:48 UTC
#Software: Joomla Platform 11.4.0 Stable [Brian Kernighan] 03-Jan-2012 00:00 GMT

#Fields: Date time priority category ClientIP message
24/05/2013 01:53:48 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Invalid password
04/06/2013 06:56:47 INFO xxx.xxx.xxx.xxx Joomla FAILURE: No blank password is allowed
08/06/2013 22:56:18 INFO xxx.xxx.xxx.xxx Joomla FAILURE: No blank password is allowed
06/15/2013 21:00:39 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
24/06/2013 19:23:20 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
24/06/2013 19:23:28 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
24/06/2013 19:23:42 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Invalid password
02/07/2013 16:35:30 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
02/07/2013 16:35:31 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
02/07/2013 16:35:32 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
02/07/2013 16:35:33 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
02/07/2013 16:35:34 INFO xxx.xxx.xxx.xxx Joomla FAILURE: User does not exist
11/23/2013 20:04:58 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Username and password do not match or you do not have an account yet.
11/23/2013 20:05:00 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Username and password do not match or you do not have an account yet.
11/23/2013 20:05:01 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Username and password do not match or you do not have an account yet.
11/23/2013 20:05:01 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Username and password do not match or you do not have an account yet.
11/23/2013 20:05:02 INFO xxx.xxx.xxx.xxx Joomla FAILURE: Username and password do not match or you do not have an account yet.


==========================================================


So I went in ".htacces" and implemented these rules for suspicious IPs:


# START IP BAN!

deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx


# END IP BAN!




Also, check in your control panel of your hosting, there is this option of blocking IPs, so easy plus the option to block IPs.

In addition, check with your Hosting company as DDos attacks are the trantando and, if they have a security system. Some charge more for this service.


2- Also block the / Administrator any extension of Joomla or the capabilities of .htacces and .htpasswd.

3- Also if you are using any search field, use any extension of joomla for Google search on your site, so it is avoided that some field allow SQL Injection. So your site is more secure.


Phew!
Big hug!
Success there!
Thank you!

[JAVesey]

2- Also block the / Administrator any extension of Joomla or the capabilities of .htacces and .htpasswd

As I keep saying on here, use the AdminExile extension. It allows you too:

1. Set the path to /administrator to something only you know (and change the path whenever you want)
2. It has "brute force" protection for the front- and back-end.

Take a look