DOS Attacks from my Server as a source

[Defjam]

Hi all,

today i got a message from my provider saying my server was disconnected from the network because my server is sending DOS attacks.

Unfortunately, i didn`t have the opportunity to do a TCPDUMP to recognize what really was going on.

Anyhow, after checking the logs i found the following:

Code:

Jan  7 20:31:05 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "joslasok.developing.hu"
Jan  7 20:31:05 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "joslasok.developing.hu"
Jan  7 20:31:44 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "torveny.developing.hu"
Jan  7 20:31:44 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "torveny.developing.hu"

Jan  7 22:01:19 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "torveny.developing.hu"
Jan  7 22:01:19 xxx46359 /usr/sbin/apache2-fork -x start: gethostby*.getanswer:  
asked for "developing.hu", got "torveny.developing.hu"
Jan  7 22:03:01 xxx46359 /usr/local/apache/bin/httpd -DSSL: gethostby*.getanswerr
: asked for "developing.hu", got "nepszeru.developing.hu"
Jan  7 22:04:02 xxx46359 /usr/local/apache/bin/httpd -DSSL: gethostby*.getanswerr
: asked for "developing.hu", got "kiszolgalo.developing.hu"

Actually, i do not have any idea about the things happend. No other Login was done previously to this, so that i could say, someone got my ssh root. A rootkit scan didn`t find anything. PS -ef nothing special.

Any hints?

[Rubberman]

It looks like you web server was hacked and someone modified/corrupted/added some scripts that the server is now executing. If you don't have a "known good" previous image of the system to use as a baseline to find the corrupted files and/or executables, then you are sol, and pretty much are going to need to wipe and reinstall the system. Then, before you go back online, you are going to need to make sure you have all the latest security patches, and review all of your system processes for vulnerabilities. This is going to be, at the least, time consuming, and likely expensive! Sorry, but you are now paddling around in the deep end...

[Lazydog]

I would also say take a look at BASTILLE LINUX for securing your system against attacks. I haven't used it but have been told it is very good. Also look at running something like AIDE for Intrusion Detection.

[Rubberman]

The problem, as I understand it, is not that he is getting a DOS attack on his system, but is a SOURCE of DOS attacks on others. IE, someone has pwnd his computer.

[Lazydog]

Yes, his site was being used as it was broken into. The 2 site will help protect his system form this type of attack in the future.