Urgent. Server used for SYN flood attack
 

Hi

I have a server with Ubuntu 10.04 LTS and ISPConfig 3.
Use it for some Joomla sites, and som other self composed sites.

The server now seems to be used to run SYN flood attack to some destinations.
So I think one of the websites have a security issue, and a script is run.
When I shut down apache, the activity stops.

But I have a hard time tracking down witch website it is, and where the script is. When I know this, the security issue must be dealt with.
I do not want my server being used to cause trouble for others.

I need some quick help here, how do I find witch file the SYN flood originates?
Any way to use lsof, netstat or something?
netstat shows me the connections, but not where they where initialized from.

Which php mode do you use in your sites? If you use php-fcgi with suexec on, then you can see with "ps" and "top" which site is having the high activity as each site runs under its own linux user then.

Thanks.

I`m having a hard time finding the source.
Is there a way to shut don sites completly in ISPConfig?
Then I can test one and one site.

Tried the enable checkbox under site, but it does not seem to shut it down.

Each site has a "active" checkbox in the site settings, uncheck the checkbox and press on save to disable the site. This remove sthe site completely from the apache configuration within 60 seconds after you pressed the button.

Thanks till

I also found an application called jnettop.
It`r really helpful finding what generates traffic etc.
http://jnettop.kubs.info/wiki/