Urgent. Server used for SYN flood attack

Discussion in 'Server Operation' started by Hagforce, Aug 20, 2012.

  1. Hagforce

    Hagforce New Member

    Hi

    I have a server with Ubuntu 10.04 LTS and ISPConfig 3.
    Use it for some Joomla sites, and som other self composed sites.

    The server now seems to be used to run SYN flood attack to some destinations.
    So I think one of the websites have a security issue, and a script is run.
    When I shut down apache, the activity stops.

    But I have a hard time tracking down witch website it is, and where the script is. When I know this, the security issue must be dealt with.
    I do not want my server being used to cause trouble for others.

    I need some quick help here, how do I find witch file the SYN flood originates?
    Any way to use lsof, netstat or something?
    netstat shows me the connections, but not where they where initialized from.
     
  2. till

    till Super Moderator

    Which php mode do you use in your sites? If you use php-fcgi with suexec on, then you can see with "ps" and "top" which site is having the high activity as each site runs under its own linux user then.
     
  3. Hagforce

    Hagforce New Member

    Thanks.

    I`m having a hard time finding the source.
    Is there a way to shut don sites completly in ISPConfig?
    Then I can test one and one site.

    Tried the enable checkbox under site, but it does not seem to shut it down.
     
  4. till

    till Super Moderator

    Each site has a "active" checkbox in the site settings, uncheck the checkbox and press on save to disable the site. This remove sthe site completely from the apache configuration within 60 seconds after you pressed the button.
     
  5. Hagforce

    Hagforce New Member

Share This Page