HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Urgent. Server used for SYN flood attack (http://www.howtoforge.com/forums/showthread.php?t=58321)

Hagforce 20th August 2012 11:57

Urgent. Server used for SYN flood attack
 
Hi

I have a server with Ubuntu 10.04 LTS and ISPConfig 3.
Use it for some Joomla sites, and som other self composed sites.

The server now seems to be used to run SYN flood attack to some destinations.
So I think one of the websites have a security issue, and a script is run.
When I shut down apache, the activity stops.

But I have a hard time tracking down witch website it is, and where the script is. When I know this, the security issue must be dealt with.
I do not want my server being used to cause trouble for others.

I need some quick help here, how do I find witch file the SYN flood originates?
Any way to use lsof, netstat or something?
netstat shows me the connections, but not where they where initialized from.

till 20th August 2012 12:02

Which php mode do you use in your sites? If you use php-fcgi with suexec on, then you can see with "ps" and "top" which site is having the high activity as each site runs under its own linux user then.

Hagforce 21st August 2012 13:08

Thanks.

I`m having a hard time finding the source.
Is there a way to shut don sites completly in ISPConfig?
Then I can test one and one site.

Tried the enable checkbox under site, but it does not seem to shut it down.

till 21st August 2012 15:10

Quote:

Is there a way to shut don sites completly in ISPConfig?
Each site has a "active" checkbox in the site settings, uncheck the checkbox and press on save to disable the site. This remove sthe site completely from the apache configuration within 60 seconds after you pressed the button.

Hagforce 23rd August 2012 13:24

Thanks till

I also found an application called jnettop.
It`r really helpful finding what generates traffic etc.
http://jnettop.kubs.info/wiki/


All times are GMT +2. The time now is 16:26.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.