Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all, today i got a message from my provider saying my server was disconnected from the network because my server is sending DOS attacks. Unfortunately, i didn`t have the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    2

    DOS Attacks from my Server as a source


    Hi all,

    today i got a message from my provider saying my server was disconnected from the network because my server is sending DOS attacks.

    Unfortunately, i didn`t have the opportunity to do a TCPDUMP to recognize what really was going on.

    Anyhow, after checking the logs i found the following:

    Code:
    Jan  7 20:31:05 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "joslasok.developing.hu"
    Jan  7 20:31:05 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "joslasok.developing.hu"
    Jan  7 20:31:44 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "torveny.developing.hu"
    Jan  7 20:31:44 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "torveny.developing.hu"
    
    Jan  7 22:01:19 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "torveny.developing.hu"
    Jan  7 22:01:19 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
    asked for "developing.hu", got "torveny.developing.hu"
    Jan  7 22:03:01 xxx46359 /usr/local/apache/bin/httpd -DSSL: gethostby*.getanswerr
    : asked for "developing.hu", got "nepszeru.developing.hu"
    Jan  7 22:04:02 xxx46359 /usr/local/apache/bin/httpd -DSSL: gethostby*.getanswerr
    : asked for "developing.hu", got "kiszolgalo.developing.hu"
    Actually, i do not have any idea about the things happend. No other Login was done previously to this, so that i could say, someone got my ssh root. A rootkit scan didn`t find anything. PS -ef nothing special.

    Any hints?
    Last edited by MikeTbob; 01-08-2011 at 02:12 AM. Reason: Added Code Tags

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,454
    It looks like you web server was hacked and someone modified/corrupted/added some scripts that the server is now executing. If you don't have a "known good" previous image of the system to use as a baseline to find the corrupted files and/or executables, then you are sol, and pretty much are going to need to wipe and reinstall the system. Then, before you go back online, you are going to need to make sure you have all the latest security patches, and review all of your system processes for vulnerabilities. This is going to be, at the least, time consuming, and likely expensive! Sorry, but you are now paddling around in the deep end...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I would also say take a look at BASTILLE LINUX for securing your system against attacks. I haven't used it but have been told it is very good. Also look at running something like AIDE for Intrusion Detection.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,454
    The problem, as I understand it, is not that he is getting a DOS attack on his system, but is a SOURCE of DOS attacks on others. IE, someone has pwnd his computer.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Yes, his site was being used as it was broken into. The 2 site will help protect his system form this type of attack in the future.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •