The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ddos attack, how to prevent?

Discussion in 'General Discussion' started by Tagor, May 13, 2004.

  1. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Recently someone did a ddos attack on our server. It used a full 100mbit line. Here is a line that it logged:
    Top Process %CPU 73.0 ./f3.c IP.AD.DR.ESS 50000 10000

    Can someone tell me what ./f3.c is? And how can I prevent another ddos attack from this user? I added it using SSH to "iptables" and REJECTed it. Is this enough? Or do I need to install a third part firewall?
     
  2. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    That is why you need to limit who you give shell access too. I would suggest having them sign some form saying they will not abuse it (in legalese of course) and fax you a photocopy of their drivers license. That way if they do something bad you atleast have all of their contact information. Was that program even launched by a legit shell user or is there a possibility you were rooted?

    I have not seen f3.c but it looks like a ddos program with the use of ipaddress and the other numbers are probably packet size and number of packets to send.

    Without knowing what port it is on it would be pretty hard to restrict access via iptables. The best method is to not give shell access out or if you do only to a few selected people. You *might* be able to limit outbound connections but that would take a lot of configuration.
     
  3. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    There is no one who has shell access, only me.
     
  4. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Was that process running as root? It is sounding like your server has been compromised (rooted).

    I would search the drive and find that program. Even if it was not root probably still hacked, I would double check the user it is running under does not have shell access. If nobody really does then you have been rooted and you are not in the best situation. You might be able to clean it up but I (as many others say) would suggest you get the server formated. The cracker has probably backdoored your server and probably get into your server at will. You might run chkrootkit out of curiosity and see if it will pick anything else up.
     
  5. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    It was runned several times by nobody. I have blocked the IP address of the possible hacker and now I don't have any problems anymore. Could you tell me what you mean with "rooted" ? (I am Dutch so I my English is not very good).

    Could you also tell me how to search on the drive and how to run "chkrootkit"?

    Many many thanks in advance!!
     
  6. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    This will show you how to install and run chkrootkit
    http://forums.ev1servers.net/showthread.php?s=&threadid=7535&highlight=chkrootkit


    rooted means:
    hacked, compromised

    According to urbandictionary:
    v. past: To have your computer compromised; to have an attacker gain unauthorized root access.


    Basically it means that there may be a hacker on your computer. The ip address that you saw in the program was the computer they he was attacking so blocking it would have no bearing.

    Since it is run as nobody it is possible that he got in though using the /temp or /tmp to download and run something. Have you secured your /tmp to prevenet noexec?

    I would start off with the chkrootkit and see what that yeilds. By the sounds of it you might have to wipe (format, clear, start fresh) your server.
     
  7. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Many thanks!

    I will run that program.

    Can you tell me how to prevent noexec in the /tmp? I am not sure if this is already done in cPanel.
     
    #7 Tagor, May 13, 2004
    Last edited: May 13, 2004
  8. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    you can run the /scripts/securetmp though it does adjust your disk partitions so be aware you might run into trouble.

    If you run 'df -h' in console you should see something mounted as /tmp if not then you do not have the temp secured.

    http://forums.cpanel.net/showthread...&perpage=15&highlight=secure tmp&pagenumber=2
    Somebody there explained how he did it manually if you want to try it that way.

    Both methods involve some risk because you are adjusting the partitions sizes on a live machine.
     
  9. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    I just ran the program. And it shows "not found" everywhere. So that should be ok :). However it also outputs some suspect files. Could you have a look at them? I am not sure if this is ok.

    I have attached the file.

    Many thanks again!
     

    Attached Files:

    • log.txt
      File size:
      10.5 KB
      Views:
      97
  10. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Look at the bottom

    You DO have a rootkit installed. Unforunatly I did a quick search on google and after a few minutes did not see any information about the LOC rootkit. However we do know that your server has been compromised and it is not safe to keep it running. Chances are the cracker has unlimited access to your system and can do whatever he wants. He might hack other machines or attack other computers.

    The best bet is to make full backups and have your datacenter reformat your server. Then make sure and secure your server once you get it back. I would be very cautious if you try and just clean this up yourself, a good cracker might install various other methods of getting in AND might make it undetectable by chkrootkit. The only sure way he is off is if you format.
     
  11. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    df -h shows the following:
    Filesystem Size Used Avail Use% Mounted on
    /dev/hda7 1012M 66M 895M 7% /tmp
     
  12. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    What does the output of this show:
    # cat /etc/fstab



    It still does not change that you really should get your server formated though.
     
  13. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Can't I uninstall that rootkit? Or couldn't this be a program of cPanel or so?

    I ran some updates today so it may have secured the server. However it has always been up to date so how can it possible that he gain access?

    ---------
    root@server [~]# cat /etc/fstab
    /dev/hda1 /boot ext3 defaults 1 1
    /dev/hda2 / ext3 defaults,usrquota 1
    1
    none /dev/pts devpts gid=5,mode=620 0 0
    /dev/hda8 /home ext3 defaults,usrquota
    1 2
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    /dev/hda7 /tmp ext3 defaults 1 2
    /dev/hda5 /var ext3 defaults,usrquota
    1 2
    /dev/hda6 /usr ext3 defaults,usrquota
    1 2
    /dev/hda3 swap swap defaults 0 0
    ------------
     
  14. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Just also found f3.c. It is located in the temp folder. Shall I post the program here?
     
  15. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Uninstall - not really. I do not know all the files that it installs and it is still VERY risky. He might have done other things to the server which are not detected. Without something like tripwire installed it is impossible to be 100% sure you cleaned it all.


    No it not part of cpanel in any way, it is a computer hacking program.


    There are almost always ways into a server even if you think it is totaly secured. By the looks of it he might have gotten in via /tmp allowing him to inject certain things into php. It is difficult to explain but unfortuantly starting to become more common.


    /tmp is not setup to 'noexec', instead is it just using defaults. That means he *might*/probably got in that way using php injection.
     
  16. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    My NOC shut down the server after it has been using 100mbit for one hour. I also found a tar.gz file in the temp. He may have unzipped that package.

    http://www.google.nl/search?q=psy.tar.gz

    I could post the file here. Below you will see other files in the /tmp. I have removed the session/cpanel.tmp/horde files...

    ---------
    root@server [/tmp]# dir
    lost+found/
    map*
    mysql.sock@
    nmap.c*
    .bash_history
    psybnc/
    bd*
    psy.tar.gz
    bd.1
    brk2*
    c5*
    cgi*
    f3.c*
    kmod*
    kmx*
    kmx.2*
    loc
    xp*
    localroot
    xpl*
    ---------
     
  17. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    See all the things with *, those are hacks or something that he can use to attack other people.

    The pys.tar.gz is something called psybnc. Basically it is a proxy server for IRC (internet relayed chat). It might be interesting to look at the config file for it. You might also be able to track him down after looking at how he is conencting to it, though having any legal action taken against him would be pretty hard.


    Like I said I am unfamiliar with the LOC toolkit but with what he has there he could have done anything that he wanted. You might be able to clean out the /tmp and have everything be ok BUT I WOULD REALLY SUGGEST AGAINST IT. If I had to guess he had some sort of backdoor that will let him get into your server.

    There are a few things you could do to sort of have your server limp along even with the cracks but I would really really really suggest against it.
     
  18. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Could you tell me how to download these files to my computer? So I can delete everything in /tmp? Or only those files with a * and the .tar.gz file?

    I already traced the person and it seems it is a hackers community (i found there web site). They are in Estonia so I can't do much since I life in the Netherlands. I could send you the ip address (and there web address) but I don't want to publish it here since it can cause other troubles.

    Many thanks for your time! I am really glad you're helping me!!
     
  19. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Run this:

    cd /home/USERNAME/public_html/
    tar -cf hacked.tar /tmp

    Now goto the website http://domain.com/hacked.tar

    If you could send me that link (via pm), I would be interested to see what they have done. I do not really care for the ip but it is always interesting to look at different rootkits.

    ....actually looking at it they have .bash_history which makes it look like they have created a user. Do 'ls -alh' to see who owns the files. Then run "cat /etc/passwd |grep nobody" and paste the results here. If the files are owned by some user OTHER then nobody use "cat /etc/passwd |grep USERNAME" and paste that. You should also look in the /etc/passwd for other users that look like they do not belong.

    Again I just want to say you should probably reformat the server.
     
  20. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Everything seems to be owned by nobody only cpanel.TMP.dUr8A85yidpgzF0u and another file like that is owned by a user from my server. ./ and ../ are owned by root.

    I will create the tar and send it by PM.
     
Loading...

Share This Page