Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th January 2006, 13:21
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default server blocked/stopped by host

Hi guys,

my strato server has stopped working on sunday, I have been trying to fix it the whole last night, but then realized that inside my control panel from strato it said: host has been suspended please contact support.

I did so and they stated:

Quote:
Leider wurde Ihr Server am Wocheende Ziel einer DoS-Attacke. Um unsere Infrastruktur und Ihren Server vor weiteren Folgeschäden zu bewahren, mussten wir daher Ihren Server kurzfristig vom Netz nehmen.

Wir haben den Server heute vormittag wieder entsperrt und innerhalb der nächsten Stunde sollte der Server wieder wie gewohnt zur Verfügung stehen.
this means my server was hit by a Dos attack and my host has cut it of from the internet to prevent damage.

I then asked if I could see evidence of a DOS attack and what they plan to do against the initiators.

They responded:

Quote:
Hiermit möchten wir Sie informieren, dass uns unsere Techniker vom STRATO Rechenzentrum darüber in Kenntnis gesetzt haben, dass auf Ihrem Server mit dem Hostnamen: hxxxx.serverkompetenz.net mit der Auftragsnummer: xxxxxx eine fehlerhafte Anwendung ausgeführt wird.

Dies fiel durch eine nicht normal hohe Anzahl von Paketen (21001 eingehende packets/sec) auf. Dieser Vorgang beeinträchtigt die technische Infrastruktur der STRATO Medien AG auf nicht akzeptable Weise und verstößt damit gegen die Regelbetriebsbedingungen unserer Allgemeinen Geschäftsbedingungen, die Sie jederzeit im Internet einsehen können: http://www.strato.de/full/STRATO/agb.html

Es ist möglich, dass sich ein Dritter Zugang zu den root-Benutzerrechten auf Ihrem Server verschafft hat.
Falls Sie die Vermutung hegen, dass ein Dritter Ihren Server gehackt hat, empfehlen wir Ihnen eine Sicherung Ihrer persönlichen Dateien auf dem Server und eine Neuinstallation des Servers.

Erzeugen Sie mit dem Befehl "tar cvfz /backup.tgz <verzeichnisname>" Backupdateien Ihrer persönlichen Dateien.
Geben Sie dann den Befehl "/etc/init.d/networking stop" ein, booten Sie danach im RecoveryModus und kopieren Sie Ihre Dateien per FTP oder SSH auf einen anderen Server.
Nach erfolgter Neuinstallation setzen Sie uns in Kenntnis, dass wir den Server wieder freischalten können. Als Termin haben wir uns spätestens den <date>(0,".",1,1,7) vorgemerkt.
here they try to tell me that there is an application on my server which causes too high load 21001 packets/sec and that my server could have been hacked - they suggest that I backup my server and reinstall...

this seems highly contradictory to me as they told me about DOS first then state I have a rogue application that has a high number of incoming packets - ??? AND in their first email they told me my server would be back online in a few hours, after I asked for more details they come up with this story about this application...

Any suggestions? I just mailed them and asked about clarification.

I'd apreciate any help.
Reply With Quote
Sponsored Links
  #2  
Old 9th January 2006, 14:03
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,693
Thanks: 819
Thanked 5,319 Times in 4,172 Posts
Default

Hi,

I recommend that when your server is back onlien, you do a scan for rootkits.

http://www.howtoforge.com/faq/1_38_en.html

I think that an high volume of incoming packets does not mean automatically that your server is highjacked. It depends on the port. If e.g. a high number of packets where send to port 80, its an DOS attack but it does not mean that your apache has been highjacked.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 9th January 2006, 15:02
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

thx for the hint, I will check after work.

I got another mail from them: please excuse our second mail (about the rogue application) it was sent by mistake to you and was not intended for you :-))

I have seen this happen frequently when the guys doing the support know nothing about their job and just skim the support seeking mails for keywords and then select from a database of ready made emails and send them back

Or they really sent me that mail by mistake...

anyway I'l check back later and report what happened
Reply With Quote
  #4  
Old 10th February 2006, 12:34
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

ok guys, it happened again :-(

I'll give you a short summary in english:

I got an email from strato saying that my server was the target of another DOS attack. They sent me a link to their fair usage document where they say are rules against which I am acting (by letting myself getting attacked !)

http://www.strato.de/full/STRATO/agb.html

They will cut my server of the net to prevent damage to their networks...
I can still access my server through a remote recovery console and I should resolve my problems.

If I have any explanations as to why I am being attacked I shall notify them and they tell me to do anything possible to prevent myself from further attacks.

They gave me time to resolve the problems until the 17.02.2006 - what problems?

What the heck can I do if I am getting attacked?

I was still able to access the server through ssh for maybe an hour and neither the logs neither netstat was showing me an unusual amount of incoming connections, neither were there syn attacks to be seen at the first glance. Neither my graphical output of statistics showed anything...

Now I think that if there was an attack there had to be at least some traces of this attack in my logfiles.

I am going to write them a similar email asking for details about the type of the attack, the duration and log excerpts - I mean they must base their accusations upon something.


AND I think I have to change providers although I am usually a very steady customer but this is too much.

any suggestions or ideas?

###edit###

sorry I have to give you more info: the mail reached my with a huge severall hours delay, after I talked to them on the phone they gave me the exact time of the attack and I found some traces. I am currently examining the logfiles.

not much inside the usual syslog files, any other place where I can grab some info? If not can anyone explain how to setup some firewall rules to log attacks of any kind ? just some hints or so would be great.

Last edited by Ovidiu; 10th February 2006 at 13:54.
Reply With Quote
  #5  
Old 10th February 2006, 15:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
Default

I'd check with chkrootkit and rootkithunter first that you didn't get hacked.

Maybe you can monitor with Nagios ( http://www.nagios.org/ ) what's happening on your network interface.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 10th February 2006, 20:38
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

I am currently checking out nagios screenshots to find out what it can do and if it got more info than hotsanic I am using curretnly.
besides I checked if I got hacked, did it last time too, and there is no sign of such activity, anyway I am talking about an incoming attack - there was a traffic spike at 23:50 during the night from thursday to friday. you can check it out here: http://www.web-designerz.de/serverst...ffic/eth0.html

these stats are all I have there is no more logging being done - so what can I do?
Reply With Quote
  #7  
Old 10th February 2006, 23:49
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,693
Thanks: 819
Thanked 5,319 Times in 4,172 Posts
Default

I think there is not much that you can do if there is an incoming attack. Only your provider can try to block the traffic at the routers in front of your server.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 11th February 2006, 01:02
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

Quote:
Originally Posted by till
I think there is not much that you can do if there is an incoming attack. Only your provider can try to block the traffic at the routers in front of your server.
I know and they won't
I am talking about strato, they even told me that they usually ask people to sign a statement that one won't do it again (Unterlassungserklärung) or even cancel their contract, so soon, if I don't start logging so I can file an abuse report to those f***ing idiots attacking my server I will have top look for a new server provider.

so if someone could suggest some logging rules or at least give me some hints as to where and what to log...
Reply With Quote
  #9  
Old 11th February 2006, 12:09
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,693
Thanks: 819
Thanked 5,319 Times in 4,172 Posts
Default

Did you have any idea which port / daemon that may have attacked? Is any logfile for that day bigger as usual?

As far as i know there are some config options in the bastille firewall config file that ISPConfig uses to enable logging, but i never tested it.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 11th February 2006, 13:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,739 Times in 2,574 Posts
 
Default

Since these traffic peaks are occurring regularly - is it maybe a cron job that is causing this? (Or is this just your nightly backup to the Strato FTP server?)
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail not working Roadracer Installation/Configuration 16 30th December 2005 23:40
Email - Ueb-Miau mazhar Installation/Configuration 5 21st December 2005 10:01
Server Not Autorative for Domain Error drbista Installation/Configuration 10 20th December 2005 16:41
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30
Server can't "see" the internet Luciano Installation/Configuration 8 22nd August 2005 23:22


All times are GMT +2. The time now is 12:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.