Join Our Affiliate Network & Earn Up To $125 Per Sale! Earn Thousands!

Screenshot 2022 02 06 221007

Have Been or Are Under a DDOS or DOS Attack?

10 DDoS
Reading Time: 3 minutes

DDOS or DOS Attacks are quite common nowadays. Thankfully, there are ways to detect them and mitigate them before it causes major downtime for your website or servers. In this article we will discuss how you can search your server logs for signs of a DOS or DDOS attack.

Method #1:
One method is to see your past bandwidth usage for a particular server. For example if you see a large spike then that most likely is malicious request.

Method #2:
Check your server load graph. Do you see a spike when you suspected you had a DOS or DDOS attack? If you see a spike that is way beyond normal maybe even reaching critical levels that means it is probably a DDOS or DOS attack. Please keep in mind server load can be spiked by many normal things besides an attack

Checking your server load during a suspected attack is also a good thing while you work on mitigation. To check your current server load use the following:
* grep processor /proc/cpuinfo | wc -l
* uptime

Method #3 (Check DDOS Based on Number of IP’s That Got Hit):
Within a DDOS attack it is generally required a form of connection to your server, it is always possible to check what IP’s are hitting your server the most. Take a look at what IP has the highest number to the left if its anything over 200-500 then I would take a look closely to see if it continues to get hit and if so I would begin the mitigation of blocking the specific IP. To check the most used IP’s use the following command:
*netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
*netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s |cut -f1,2 -d’.’|sed ‘s/$/.0.0/’|sort|uniq -c|sort -nk1 -r

Brute Force Attack Check:
A brute force attack is an attack that consist of an individual who submits many passwords or passphrases to your server. The
goal for a brute force attack is to gain access to your server or account using one of the many passwords submitted in a given
time period. To check for a brute force attack please use the following command:
*netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -n

With a cPanel based server here are some good logs to take a look at and to keep for reference:

  • Incoming and outgoing mail log | /var/log/exim_mainlog – Find out what happened to an email sent to an outside server, or one that came into this server.
  •  POP or IMAP login/transaction records = /var/log/exim_mainlog – Find out what happened to an email sent to an outside server, or one that came into this server.
  • POP or IMAP login/transaction records = /var/log/maillog – Find out when a mailbox was accessed, from which IP, and if it was successful.
  •  Anti-spam logs (eg. SpamAssassin) = /var/log/maillog – Find out if a mail was tagged as spam, and the reason for it.
  •  Mails rejected by Exim SMTP server = /var/log/exim_rejectlog – Find out if a mail was rejected at connection level due to an Exim security policy.
  •  SMTP/POP/IMAP server crash logs = /var/log/messages, /var/log/maillog, /var/log/exim_paniclog – Find out why Exim/Courier/Dovecot servers crashed.
  • Mailman logs = /usr/local/cpanel/3rdparty/mailmain/logs/* – Logs under this directory shows what happened to various mailing lists.
  • RoundCube delivery and error logs = /var/cpanel/roundcube/log/* – Logs under this directory shows mail delivery details and RoundCube access errors.
  • Horde error logs = /var/cpanel/horde/log/* – Logs under this directory show Horde errors.
  • SquirrelMail logs = /var/cpanel/squirrelmail/* – Logs related to SquirrelMail errors.
  • Web site access logs = /usr/local/apache/domlogs/[DOMAIN_NAME] – Find out which IP accessed the site at a given time, and the status of access.
  • Web site and server error log = /usr/local/apache/logs/error_log – Details of error returned in the web site.
  • Mod Security error log = /usr/local/apache/logs/modsec_audit.log – Details of the mod_security deny error.
  • SuPHP audit log = /usr/local/apache/logs/suphp_log – Find out under which user ownership a script was executed.
  • Apache restarts through cPanel/WHM = /usr/local/cpanel/logs/safeapacherestart_log – Find out at what all times Apache was restarted through WHM.
  • File upload logs = /usr/local/apache/domlogs/ftp.[DOMAIN_NAME]-ftp_log – Find out which IP uploaded the files, under which user ownership, and status of upload.

    I hope this has helped in some way if you have any questions feel free to contact our support team.
DNS Propagation and How it Works?

DNS Propagation and How it Works?

Reading Time: 2 minutes Introduction Understanding the ins and outs of DNS propagation is crucial for anyone managing a website or domain. In this comprehensive guide,

What Is WordPress

What Is WordPress

Reading Time: 2 minutes Have you ever wondered, “What Is WordPress?” If you’re entering the world of website creation, you’ve likely come across this powerful tool.

recover joomla admin password

Recover Joomla Admin Password

Reading Time: 2 minutes Recover Joomla Admin Password. Securing access to your Joomla admin panel is crucial for maintaining control over your website. In this comprehensive

hero guarantee 610x362 1

Get a Free Month! On cPanel Web Hosting

Boost Your Site by 20X With High Performance LiteSpeed Servers