DDoS attack?

[Giordano]

Hi all,

Our server may be under attack. Our host isn't very helpful so I'm trying to figure out if this is really an attack.

Every night aroun 9 pm our site performance drops below freezing temp. Can't even get my mail anymore. In the secure log I can see (the next day when I'm able to log in again) stuff like this:

Oct 29 20:32:44 flex223 sshd[25991]: Invalid user duccio from ::ffff:203.251.115.31
Oct 29 19:32:44 flex223 sshd[25996]: input_userauth_request: invalid user duccio
Oct 29 20:32:47 flex223 sshd[25991]: Failed password for invalid user duccio from ::ffff:203.251.115.31 port 49943 ssh2
Oct 29 19:32:47 flex223 sshd[25996]: Received disconnect from ::ffff:203.251.115.31: 11: Bye Bye
Oct 29 20:35:22 flex223 xinetd[14259]: START: smtp pid=5949 from=190.186.82.176
Oct 29 20:35:40 flex223 xinetd[14259]: START: smtp pid=7607 from=85.171.56.115
Oct 29 20:35:46 flex223 xinetd[14259]: START: smtp pid=7846 from=189.69.20.34
Oct 29 20:36:24 flex223 sshd[11676]: Invalid user oubiwann from ::ffff:203.251.115.31
Oct 29 19:36:24 flex223 sshd[11786]: input_userauth_request: invalid user oubiwann
Oct 29 20:36:36 flex223 sshd[11676]: Failed password for invalid user oubiwann from ::ffff:203.251.115.31 port 54585 ssh2
Oct 29 19:36:36 flex223 sshd[11786]: Connection closed by ::ffff:203.251.115.31
Oct 29 20:36:42 flex223 xinetd[14259]: START: smtp pid=13447 from=80.120.75.26
Oct 29 20:36:42 flex223 xinetd[14259]: START: smtp pid=13451 from=80.120.75.26
Oct 29 20:37:31 flex223 xinetd[14259]: START: smtp pid=17503 from=84.61.20.75
Oct 29 20:37:46 flex223 xinetd[14259]: START: smtp pid=18092 from=217.97.202.1
Oct 29 20:37:46 flex223 xinetd[14259]: START: smtp pid=18093 from=85.182.60.21
Oct 29 20:39:54 flex223 xinetd[14259]: START: smtp pid=26230 from=93.130.16.158
Oct 29 20:45:27 flex223 xinetd[14259]: START: smtp pid=18047 from=92.53.39.176
Oct 29 20:48:35 flex223 xinetd[14259]: START: smtp pid=31889 from=78.99.59.68
Oct 29 20:48:48 flex223 xinetd[14259]: START: smtp pid=32371 from=213.36.213.222
Oct 29 20:50:38 flex223 xinetd[14259]: START: smtp pid=7753 from=200.73.103.232
Oct 29 20:50:51 flex223 xinetd[14259]: START: smtp pid=7977 from=87.111.94.177


1. Does this mean that someone's trying to log in via shell? And someone trying to use our smtp server?

2. How do they choose a target site?

3. How do we cope with all this?

I've been thinking about using two domains for our site. The first to display our home page, seo optimized etc, the second residing on a different server where users actually log on and use the site. The "logon" button on the first server redirects the user to the second server. This assuming attackers only target sites they can find via links on the web. If we prevent any link to our 2nd server, would we prevent attacks?!

Just some thoughts from me without having any knowledge of web security....

Any help is greatly appreciated since we're losing customers.

Best regards,
Giordano

[davidanand]

Hi,

203.251.115.31 port 49943 ssh2 this means that some one is
trying to login via ssh..

My suggestion is going for an firewall use (CSF or APF) that will block the
hackers ip in 3 attempts... and secure your /tmp apply noexec on fstab
so that no one runs scripts form /tmp

Few more thongs to remember use ssh keys rather than passwords
disable direct root login ....

regarding SMTP you can close the opnrelay or use authentication for that..

[Giordano]

Thanks for your reply David.

I have set the firewall to drop all connections for ftp and ssh except those from our own machines. Guess that should take the pressure of our server?!

I will look into your other suggestions.

But those smpt entries in the secure log, what are they doing??!??!
Am I right to assume that an entry appears in the log for each time someone sends mail to our server and each time someone sends a mail from our server? If so, then I have no idea who these folks in the log are..

Regards,
Giordano

[davidanand]

Could you please post the maillog for the ips that has been listed in the
secure log... so that I can have a look on that

[Giordano]

The "/var/log/maillog" file is empty, I'm afraid...

And by now I also know that the firewall settings did not make a difference. Performance dropped again, no sign of ssh login attempts in the log though, obviously.

In the plesk/virtuozzo panel at resources I see that the Load Average is as high as 6 at times, which I understand to mean that the cpu is working overtime (1=100% ?!?). But when I check the processlist and add up the cpu percentages there, I don't get 100% at all. Don't get this! Is my interpretation of these figures correct? Could it be that some other vps on the same server is eating away the resources on the server?

Any suggestions?

[davidanand]

In plesk sendmail never runs, qmail runs so it is waste checking the logs in
/var/log/maillog/you will get only the pop3logs
so check the logs in
/usr/local/psa/var/log/maillog
you will get the logs

first let me clear you some thing you are not working on a physical server it is an VPS
ok ...there is no real processor and real hdd all are shared from the main node ...
please use ps -aufx and paste the result.......

[Giordano]

Yes you're right, it's a VPS, shared resources... I do wonder sometimes how to figure out if other accounts aren't sucking resources up. Is there any way to see that?

Here's the output of the ps:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1700 592 ? Ss Oct27 0:00 init [3]
root 14178 0.0 0.0 1608 544 ? Ss Oct27 0:06 syslogd -m 0
named 14208 0.0 0.1 36420 2848 ? Ssl Oct27 0:00 /usr/sbin/named -u named -n1 -c /etc/named.co
root 14228 0.0 0.0 4088 1140 ? Ss Oct27 0:05 /usr/sbin/sshd
root 9629 0.0 0.1 8728 2568 ? Ss 17:03 0:00 \_ sshd: root@pts/0
root 10088 0.0 0.0 2232 1332 pts/0 Ss 17:03 0:00 \_ -bash
root 14095 0.0 0.0 2384 760 pts/0 R+ 17:57 0:00 \_ ps aufx
root 14302 0.0 0.0 2228 1144 ? S Oct27 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/l
mysql 15436 1.3 5.8 429332 122892 ? Sl Oct27 170:49 \_ /usr/libexec/mysqld --basedir=/usr --data
root 17454 0.0 1.0 26520 22348 ? Ss Oct27 0:00 /usr/bin/spamd --username=popuser --daemonize
popuser 17555 0.0 1.0 26520 21044 ? S Oct27 0:00 \_ spamd child
root 17777 0.0 0.3 41052 7796 ? Ss Oct27 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 18009 0.0 0.8 45192 18016 ? S 17:31 0:00 \_ /usr/local/psa/admin/bin/httpsd
psaadm 20012 0.0 0.8 45080 17280 ? S 17:32 0:00 \_ /usr/local/psa/admin/bin/httpsd
psaadm 20137 0.0 0.5 44864 11864 ? S 17:32 0:00 \_ /usr/local/psa/admin/bin/httpsd
root 17883 0.0 0.0 2492 932 ? Ss Oct27 0:00 crond
root 17902 0.0 0.0 4132 688 ? Ss Oct27 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
root 11269 0.0 0.8 34808 17960 ? Ss Oct31 0:57 /usr/sbin/httpd
root 29749 0.0 0.3 23004 7528 ? S Nov02 0:00 \_ /usr/sbin/httpd
apache 15857 0.9 0.6 35728 14448 ? S 17:30 0:14 \_ /usr/sbin/httpd
apache 7369 1.0 0.6 35696 14408 ? S 17:40 0:10 \_ /usr/sbin/httpd
apache 7372 1.1 0.6 35732 14416 ? S 17:40 0:11 \_ /usr/sbin/httpd
apache 7374 1.0 0.7 35948 14684 ? S 17:40 0:10 \_ /usr/sbin/httpd
apache 7386 1.0 0.6 35676 14400 ? S 17:40 0:10 \_ /usr/sbin/httpd
root 15981 0.0 0.0 2156 844 ? Ss Nov01 0:02 xinetd -stayalive -pidfile /var/run/xinetd.pi
qmaild 13918 0.0 0.0 3404 824 ? Ss 17:57 0:00 \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin
root 14014 0.0 0.0 1988 576 ? S 17:57 0:00 \_ plugins/chkrcptto
qmails 16032 0.0 0.0 1588 468 ? S Nov01 0:22 qmail-send
qmaill 16034 0.0 0.0 1548 440 ? S Nov01 0:01 \_ splogger qmail
root 16035 0.0 0.0 1580 360 ? S Nov01 0:00 \_ qmail-lspawn | /usr/bin/deliverquota ./Ma
qmailr 16037 0.0 0.0 1708 580 ? S Nov01 0:00 \_ qmail-rspawn
qmailq 16038 0.0 0.0 1540 328 ? S Nov01 0:00 \_ qmail-clean

Hope this makes sense to you...

[Giordano]

And these are some lines from the maillog file. A few ip's that I also found in the secure log:

Nov 5 18:10:48 flex223 relaylock: /var/qmail/bin/relaylock: mail from 190.40.70.247:27059 (client-190.40.70.247.speedy.net.pe)
Nov 5 18:10:48 flex223 relaylock: /var/qmail/bin/relaylock: mail from 190.40.70.247:27065 (client-190.40.70.247.speedy.net.pe)
Nov 5 18:10:56 flex223 relaylock: /var/qmail/bin/relaylock: mail from 89.186.121.9:51376 (not defined)
Nov 5 18:13:31 flex223 relaylock: /var/qmail/bin/relaylock: mail from 189.35.108.34:61871 (bd236c22.virtua.com.br)
Nov 5 18:13:32 flex223 relaylock: /var/qmail/bin/relaylock: mail from 80.25.4.166:55746 (166.red-80-25-4.staticip.rima-tde.net)


What does the relaylock mean? Is someone trying to relay mail through our mail server?

Furthermore: on the nights that performance drops I see that Plesk/Virtuozzo reports privvmpages to be in the red zone. Does this mean the processes take up too much memory? Our VPS has 1.3GB of memory. Would you guess that to be enough for a site that has appr. 680.000 pages views/month? Any metrics available as to what server size one needs?!

Regards