The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD tmp directory issues - Compromised

Discussion in 'General Discussion' started by redlorry919, Apr 5, 2006.

  1. redlorry919

    redlorry919 Well-Known Member

    Joined:
    Feb 14, 2004
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Hi All,

    I woke up this morning to find that one of my boxes had just gone down. After the usual reboot and 50 panic emails from customers I looked into what the issue may have been. Instantly in 'WHM|CPU/Memory/MySQL Usage' I could see the following information:

    root 148.08 35.25 1.9
    Top Process %CPU 91.5 grep -vf /usr/local/bfd/tmp/attack.pool.tmp
    Top Process %CPU 89.7 grep -vf /usr/local/bfd/tmp/attack.pool.tmp
    Top Process %CPU 87.1 grep -vf /usr/local/bfd/tmp/attack.pool.tmp

    I've previously tried tracing where these things come from however in my experience they can be a pain to track down so I simply deleted the bfd folder. (I think bfd is an addon for SSH).

    Then, I decided to checkout all my other servers and believe it or not all of them (5 in total) had this process running. I've now removed the bfd folder from all servers but just wondered if anyone could shed any further light on what is happening?

    Has anyone seen this before? Has anyone checked their CPU/mySQL load lately...!

    Cheers,
    Red.
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    BFD (brute force detector) is a cron controlled script that frequently checks log files for signs of brute force attacks - http://www.rfxnetworks.com/bfd.php

    /usr/local/bfd/tmp/attack.pool contains list of IP addresses and services, where the ip addresses are the source of brute force attacks and the services are the services a given ip tried to attack. /usr/local/bfd/tmp/attack.pool.tmp would be a temporary copy of this file.

    I imagine that the command 'grep -vf /usr/local/bfd/tmp/attack.pool.tmp ' would be BFD trying to process one if it's data files - nothing more, nothing less.

    If this process is taking up a huge amount of resources then it is not running correctly. Perhaps /usr/local/bfd/tmp/attack.pool.tmp was corrupt or contained so many records that it was taking a long time to process.

    I'd recommend removing and reinstalling BFD. You might want to contact the makers of BFD to determine how to do this if you've deleted /usr/local/bfd.

    In the future, remember not to panic!
     
  3. redlorry919

    redlorry919 Well-Known Member

    Joined:
    Feb 14, 2004
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Ahh thanks webignition for the info. Seems strange though that this was happening on all servers. The only way I could stabalise the server was to remove the program so unfortunately this was the only temporary option.

    Do you know how useful this program is? i.e. is it worth getting re-installed?

    Red.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    It detects brute force attacks by checking log files for signs of various authentication failures.

    It then, via iptables via APF, blocks the attacking IP from the server.

    So yes, it can be quite useful.
     
Loading...

Share This Page