UDP Flood Attack

[dimas]

Please kindly help me with a problem.

I have ISPConfig 3 server (latest version, debian 64bit, perfect setup).

I've just received a call from my ISP and they said that they've received a complaint from a remote site administrator who's stating that they are under UDP Flood Attack from my IP.

This is the text of the complaint:
------------------------
Our network has been repeatedly attacked from this above marked IP with
UDP attacks. Please take actions to secure this machine, and prevent it
from attacking us (or anyone else). Attached are some truncated logs from
when we were under an attack from this IP.

The IP that was targetted was xxx.xxx.xxx.xxx

If it helps, other admins in the past have reported this issue was caused by an apache script exploit, most commonly log.php, which is actually a remote udp flood script.

Thanks for your attention and quick resolution of this matter.
------------------------

Well, there are no strange log.php files on the system.

Please kindly suggest what log file will help me to find out what is to blame for this behaviour.

Thank you!

[pititis]

You should check:

- active udp connections

Code:

netstat -uln

- rootkits

Code:

rkhunter --check

- phpshells and malware

Code:

clamscan -r /var/www/

Code:

clamscan -r /tmp/

There are many reasons. An user is using a phpshell,cgi, someone found a exploit in a plugin/code, a successful bruteforce attack to gain access to your system...I don't know, there are many situations

Do you allow cgi for your sites?Are you using fcgi+suexec?Do you disabled some php functions?Are you using suhosin?

Also check for unusual high cpu/processes!

Cheers!

[dimas]

Thanks I'll check all that.

I'm using fcgi+suexec for some sites, no suhosin.

By the way, I've spoken again with ISP - actually, this complaint, as it seems, is not substantiated by any logs that ISP itself is making - they can see no unusual activity from my IP.

So probably this is nothing after all. But I'll check everything anyway.