Urgent. Server used for SYN flood attack
I have a server with Ubuntu 10.04 LTS and ISPConfig 3.
Use it for some Joomla sites, and som other self composed sites.
The server now seems to be used to run SYN flood attack to some destinations.
So I think one of the websites have a security issue, and a script is run.
When I shut down apache, the activity stops.
But I have a hard time tracking down witch website it is, and where the script is. When I know this, the security issue must be dealt with.
I do not want my server being used to cause trouble for others.
I need some quick help here, how do I find witch file the SYN flood originates?
Any way to use lsof, netstat or something?
netstat shows me the connections, but not where they where initialized from.