Re: DOS attack from AS
Date: Fri, 30 May 2008 12:32:03 -0700 (PDT)
I did understand you. To find what program is doing it, you have to catch it on the spot. If you can do it quickly, we can find out whether it's virus or trojan or somebody playing prank. All these depend on access to the client machine during the few minutes of the "DOS" attack. If the attack just finished when you log onto his PC, you have very little chance to find anything, except netstat -ano showing many lines of TIME_WAIT "connections" opened by process 0 (Idle "process") or 4 (System "process").
- Louis BROUILLETTE <Louis.Brouillette_at_uqtr.ca> wrote:
> Sorry I was not clear. I know who is doing it and what request there
> are sending (from the apache log). What I don't know is how is it
> happening ? What is causing it ? Is it a virus ? Scanning these
> clients with a variety of antivirus softwares doesn't find anything
> wrong on these PCs.
> At 12:01 2008-05-30, Yong Huang wrote:
> >I'm guessing you were always too late to catch the DOS. If that's
> >not the case,
> >we can easily find out who and what is doing it. A simple netstat -an or
> >-f Apache access log is all you need on the server side. Then go to
> >the client.
> >This may be harder than expected. Knowing the IP doesn't necessarily
> >mean where
> >to go. nbtstat -A <IP> may reveal more info, sometimes users logged onto the
> >client Windows box. Search for the IP or its hostname in Intranet
> >site may help
> >too. On the client, netstat -ano to find the process connecting to
> >your server.
> >Find the full path of the process with Process Explorer or tlist.
> >Yong Huang
> Louis Brouillette
> Analyste en informatique (DBA)
> Universite du Quebec a Trois-Rivieres
> Tel: (819) 376-5011 ext. 2435
> Email: brouille_at_uqtr.ca