#1  
Old 15th August 2012, 10:47
dimas dimas is offline
Senior Member
 
Join Date: Jul 2006
Posts: 125
Thanks: 7
Thanked 27 Times in 8 Posts
Default UDP Flood Attack

Please kindly help me with a problem.

I have ISPConfig 3 server (latest version, debian 64bit, perfect setup).

I've just received a call from my ISP and they said that they've received a complaint from a remote site administrator who's stating that they are under UDP Flood Attack from my IP.

This is the text of the complaint:
------------------------
Our network has been repeatedly attacked from this above marked IP with
UDP attacks. Please take actions to secure this machine, and prevent it
from attacking us (or anyone else). Attached are some truncated logs from
when we were under an attack from this IP.

The IP that was targetted was xxx.xxx.xxx.xxx

If it helps, other admins in the past have reported this issue was caused by an apache script exploit, most commonly log.php, which is actually a remote udp flood script.

Thanks for your attention and quick resolution of this matter.
------------------------

Well, there are no strange log.php files on the system.

Please kindly suggest what log file will help me to find out what is to blame for this behaviour.

Thank you!
Reply With Quote
Sponsored Links
  #2  
Old 15th August 2012, 12:44
pititis pititis is offline
Senior Member
 
Join Date: Dec 2010
Location: München
Posts: 364
Thanks: 38
Thanked 88 Times in 68 Posts
Default

You should check:

- active udp connections
Code:
netstat -uln
- rootkits
Code:
rkhunter --check
- phpshells and malware

Code:
clamscan -r /var/www/
Code:
clamscan -r /tmp/
There are many reasons. An user is using a phpshell,cgi, someone found a exploit in a plugin/code, a successful bruteforce attack to gain access to your system...I don't know, there are many situations

Do you allow cgi for your sites?Are you using fcgi+suexec?Do you disabled some php functions?Are you using suhosin?

Also check for unusual high cpu/processes!

Cheers!
Reply With Quote
  #3  
Old 15th August 2012, 13:02
dimas dimas is offline
Senior Member
 
Join Date: Jul 2006
Posts: 125
Thanks: 7
Thanked 27 Times in 8 Posts
 
Default

Thanks I'll check all that.

I'm using fcgi+suexec for some sites, no suhosin.

By the way, I've spoken again with ISP - actually, this complaint, as it seems, is not substantiated by any logs that ISP itself is making - they can see no unusual activity from my IP.

So probably this is nothing after all. But I'll check everything anyway.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cherokee admin doesn't log in jrfk2 Server Operation 3 27th July 2012 12:39
DNS Not working - Ubuntu 10.10 & ISPconf 3.0.3.3 dromney Installation/Configuration 17 5th December 2011 01:13
IPSCoonfig is not avaliable after few hours server has been rebooted emanation Installation/Configuration 11 20th September 2011 12:22
Cant connect to SMTP usign Microsoft Outlook onlinewebs Installation/Configuration 4 12th September 2011 19:54
MyDNS Segfaults crypted General 19 22nd July 2010 22:49


All times are GMT +2. The time now is 02:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.