infected by a DoS trojan? (URGENT)
I have just a a very disturbing message from the webmaster of a private BitTorrent tracker to which I subscribe who claims that there is some kind of DoS attack originating from my IP number. He wrote:
I have asked him to block my IP while I sort this problem out.
[...]our stats show
a HUGE bandwidth leakage coming from you (equivalent to ~350 users...)
I further invesitigated your connection an realized you are running a
static-ip private server at your IP (XX.XX.XX.XX).
That means you have AT LEAST http port 80 in an open state (and port 21
if you are running FTP).
Fixed IPs and open ports are a dangerous mix, since if you don't protect
your server extremely well, you are bound to innumerable hacking
attempts, some of which can succeed. This seems to be the case, I guess.
It is highly probable you have some sort of backdoor-virus or trojan
running inadvertently at your site, which sends a DoS (Denial of
Service) attack to whoever you link to. The DoS attack "floods" other
peoples' servers with page requests, bringing those servers to their
We have anti-DoS protection, but it seems SOME of the requests get
through anyway. In fact, u are requesting a page from our site ~every 15
seconds, 24 hours a day, 7 days a week...
My setup as is follows: I have small LAN behind a router doing NAT. Connected are a desktop box with FC6, a latop running Ubuntu 6.10, and, since the beginning of the month, an old Pentium II with FreeBSD 6.2 installed running Postfix and Lightttpd. Under Fedora and Ubuntu, I use the latest Firefox.
Ports 25 and 80 are forwarded to the BSD box; several port >1000 ranges (ed2k and BT) are forwarded to the Fedora box, which otherwise has never been used as a server, other than occasionally opening port 21 for ssh when I have been on the road.
At this point, since the Fedora box has been running for several years, I expect that if anything has been compromised, that would be the first place to start looking. But at this point, I don't even know where to begin.
I'd be most grateful for any or all suggestions on how to proceed.