BFD tmp directory issues - Compromised

[redlorry919]

Hi All,

I woke up this morning to find that one of my boxes had just gone down. After the usual reboot and 50 panic emails from customers I looked into what the issue may have been. Instantly in 'WHM|CPU/Memory/MySQL Usage' I could see the following information:

root 148.08 35.25 1.9
Top Process %CPU 91.5 grep -vf /usr/local/bfd/tmp/attack.pool.tmp
Top Process %CPU 89.7 grep -vf /usr/local/bfd/tmp/attack.pool.tmp
Top Process %CPU 87.1 grep -vf /usr/local/bfd/tmp/attack.pool.tmp

I've previously tried tracing where these things come from however in my experience they can be a pain to track down so I simply deleted the bfd folder. (I think bfd is an addon for SSH).

Then, I decided to checkout all my other servers and believe it or not all of them (5 in total) had this process running. I've now removed the bfd folder from all servers but just wondered if anyone could shed any further light on what is happening?

Has anyone seen this before? Has anyone checked their CPU/mySQL load lately...!

Cheers,
Red.

[webignition]

BFD (brute force detector) is a cron controlled script that frequently checks log files for signs of brute force attacks - http://www.rfxnetworks.com/bfd.php

/usr/local/bfd/tmp/attack.pool contains list of IP addresses and services, where the ip addresses are the source of brute force attacks and the services are the services a given ip tried to attack. /usr/local/bfd/tmp/attack.pool.tmp would be a temporary copy of this file.

I imagine that the command 'grep -vf /usr/local/bfd/tmp/attack.pool.tmp ' would be BFD trying to process one if it's data files - nothing more, nothing less.

If this process is taking up a huge amount of resources then it is not running correctly. Perhaps /usr/local/bfd/tmp/attack.pool.tmp was corrupt or contained so many records that it was taking a long time to process.

I'd recommend removing and reinstalling BFD. You might want to contact the makers of BFD to determine how to do this if you've deleted /usr/local/bfd.

In the future, remember not to panic!

[redlorry919]

Ahh thanks webignition for the info. Seems strange though that this was happening on all servers. The only way I could stabalise the server was to remove the program so unfortunately this was the only temporary option.

Do you know how useful this program is? i.e. is it worth getting re-installed?

Red.

[webignition]

It detects brute force attacks by checking log files for signs of various authentication failures.

It then, via iptables via APF, blocks the attacking IP from the server.

So yes, it can be quite useful.