Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th August 2012, 11:57
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default Urgent. Server used for SYN flood attack

Hi

I have a server with Ubuntu 10.04 LTS and ISPConfig 3.
Use it for some Joomla sites, and som other self composed sites.

The server now seems to be used to run SYN flood attack to some destinations.
So I think one of the websites have a security issue, and a script is run.
When I shut down apache, the activity stops.

But I have a hard time tracking down witch website it is, and where the script is. When I know this, the security issue must be dealt with.
I do not want my server being used to cause trouble for others.

I need some quick help here, how do I find witch file the SYN flood originates?
Any way to use lsof, netstat or something?
netstat shows me the connections, but not where they where initialized from.
Reply With Quote
Sponsored Links
  #2  
Old 20th August 2012, 12:02
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Which php mode do you use in your sites? If you use php-fcgi with suexec on, then you can see with "ps" and "top" which site is having the high activity as each site runs under its own linux user then.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Hagforce (23rd August 2012)
  #3  
Old 21st August 2012, 13:08
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Thanks.

I`m having a hard time finding the source.
Is there a way to shut don sites completly in ISPConfig?
Then I can test one and one site.

Tried the enable checkbox under site, but it does not seem to shut it down.
Reply With Quote
  #4  
Old 21st August 2012, 15:10
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Quote:
Is there a way to shut don sites completly in ISPConfig?
Each site has a "active" checkbox in the site settings, uncheck the checkbox and press on save to disable the site. This remove sthe site completely from the apache configuration within 60 seconds after you pressed the button.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Hagforce (23rd August 2012)
  #5  
Old 23rd August 2012, 13:24
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
 
Default

Thanks till

I also found an application called jnettop.
It`r really helpful finding what generates traffic etc.
http://jnettop.kubs.info/wiki/
Reply With Quote
The Following User Says Thank You to Hagforce For This Useful Post:
till (23rd August 2012)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Local mail server - final touch Alexhor Installation/Configuration 4 12th April 2012 22:33
amavis & ispconfig 3 yalex2000 Installation/Configuration 20 18th February 2010 17:02
I don't recieve mail. privir Installation/Configuration 2 3rd June 2009 22:08
Problems with Postfix Mysql Courier PatrickAdrichem Installation/Configuration 3 13th April 2007 15:44
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30


All times are GMT +2. The time now is 23:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.