Old 15th August 2012, 11:47
dimas dimas is offline
Senior Member
Join Date: Jul 2006
Posts: 125
Thanks: 7
Thanked 27 Times in 8 Posts
Default UDP Flood Attack

Please kindly help me with a problem.

I have ISPConfig 3 server (latest version, debian 64bit, perfect setup).

I've just received a call from my ISP and they said that they've received a complaint from a remote site administrator who's stating that they are under UDP Flood Attack from my IP.

This is the text of the complaint:
Our network has been repeatedly attacked from this above marked IP with
UDP attacks. Please take actions to secure this machine, and prevent it
from attacking us (or anyone else). Attached are some truncated logs from
when we were under an attack from this IP.

The IP that was targetted was xxx.xxx.xxx.xxx

If it helps, other admins in the past have reported this issue was caused by an apache script exploit, most commonly log.php, which is actually a remote udp flood script.

Thanks for your attention and quick resolution of this matter.

Well, there are no strange log.php files on the system.

Please kindly suggest what log file will help me to find out what is to blame for this behaviour.

Thank you!
Reply With Quote
Sponsored Links
Old 15th August 2012, 13:44
pititis pititis is offline
Senior Member
Join Date: Dec 2010
Location: München
Posts: 364
Thanks: 39
Thanked 89 Times in 68 Posts

You should check:

- active udp connections
netstat -uln
- rootkits
rkhunter --check
- phpshells and malware

clamscan -r /var/www/
clamscan -r /tmp/
There are many reasons. An user is using a phpshell,cgi, someone found a exploit in a plugin/code, a successful bruteforce attack to gain access to your system...I don't know, there are many situations

Do you allow cgi for your sites?Are you using fcgi+suexec?Do you disabled some php functions?Are you using suhosin?

Also check for unusual high cpu/processes!

Reply With Quote
Old 15th August 2012, 14:02
dimas dimas is offline
Senior Member
Join Date: Jul 2006
Posts: 125
Thanks: 7
Thanked 27 Times in 8 Posts

Thanks I'll check all that.

I'm using fcgi+suexec for some sites, no suhosin.

By the way, I've spoken again with ISP - actually, this complaint, as it seems, is not substantiated by any logs that ISP itself is making - they can see no unusual activity from my IP.

So probably this is nothing after all. But I'll check everything anyway.
Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cherokee admin doesn't log in jrfk2 Server Operation 3 27th July 2012 13:39
DNS Not working - Ubuntu 10.10 & ISPconf dromney Installation/Configuration 17 5th December 2011 02:13
IPSCoonfig is not avaliable after few hours server has been rebooted emanation Installation/Configuration 11 20th September 2011 13:22
Cant connect to SMTP usign Microsoft Outlook onlinewebs Installation/Configuration 4 12th September 2011 20:54
MyDNS Segfaults crypted General 19 22nd July 2010 23:49

All times are GMT +2. The time now is 06:23.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.