UDP Flood Attack

Discussion in 'General' started by dimas, Aug 15, 2012.

  1. dimas

    dimas Member

    Please kindly help me with a problem.

    I have ISPConfig 3 server (latest version, debian 64bit, perfect setup).

    I've just received a call from my ISP and they said that they've received a complaint from a remote site administrator who's stating that they are under UDP Flood Attack from my IP.

    This is the text of the complaint:
    Our network has been repeatedly attacked from this above marked IP with
    UDP attacks. Please take actions to secure this machine, and prevent it
    from attacking us (or anyone else). Attached are some truncated logs from
    when we were under an attack from this IP.

    The IP that was targetted was xxx.xxx.xxx.xxx

    If it helps, other admins in the past have reported this issue was caused by an apache script exploit, most commonly log.php, which is actually a remote udp flood script.

    Thanks for your attention and quick resolution of this matter.

    Well, there are no strange log.php files on the system.

    Please kindly suggest what log file will help me to find out what is to blame for this behaviour.

    Thank you!
  2. pititis

    pititis Member

    You should check:

    - active udp connections
    netstat -uln
    - rootkits
    rkhunter --check
    - phpshells and malware

    clamscan -r /var/www/
    clamscan -r /tmp/
    There are many reasons. An user is using a phpshell,cgi, someone found a exploit in a plugin/code, a successful bruteforce attack to gain access to your system...I don't know, there are many situations

    Do you allow cgi for your sites?Are you using fcgi+suexec?Do you disabled some php functions?Are you using suhosin?

    Also check for unusual high cpu/processes!

  3. dimas

    dimas Member

    Thanks I'll check all that.

    I'm using fcgi+suexec for some sites, no suhosin.

    By the way, I've spoken again with ISP - actually, this complaint, as it seems, is not substantiated by any logs that ISP itself is making - they can see no unusual activity from my IP.

    So probably this is nothing after all. But I'll check everything anyway.

Share This Page