shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
Hi,

Someone is doing outbound attack from our server and got complained from DC, but they haven't provide thei nfo. They provided the IP address which was hit from our server.

What file I need to check it ?

Anyone can help me?

thanks
shan
 

Freezer

Well-Known Member
Jun 13, 2005
120
0
166
Den Haag
Scan your /tmp and /var/tmp for strange files belonging to nobody and search the forums on outbound upd attack, taht will show a thread with more helpfull info.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
shann said:
Someone is doing outbound attack from our server and got complained from DC, but they haven't provide thei nfo. They provided the IP address which was hit from our server.

What file I need to check it ?

Anyone can help me?
You need to clean up your server from all the strange files downloaded and/or installed on your server. Kill all the processes used/exahusted by these tools and then you need to patch, upgrade, and secure your server. Good luck!
 

shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
Thank you guys, but I have the targetted IP, is any way I can track it down?.
Can we check it at /var/log/messages?

thanks
 

shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
I have instatlled APF and How do we stop the outbound attack?. I have teh targetted
Ip.

Please help me.

thanks
 

NightStorm

Well-Known Member
Jul 28, 2003
286
4
168
cPanel Access Level
Root Administrator
Twitter
With APF, set up and enable egress filtering. It will not stop your server from sending the attack, but it will stop the packets from leaving your server.
Check server logs (httpd logs) for the word wget. This is often used as part of a URL exploit that tells a site on your server to download and install a perl script to launch packet attacks. This will give you an idea of how the attack was started, and which site you need to be checking.
Look for outdated programs on your server (read: phpBB).
Run rkhunter.
Secure your /tmp directory.
search the /tmp directory for any pl files. If you find them, delete them.
http://eth0.us is a good place to start.
 

avijit

Well-Known Member
Jul 26, 2004
116
0
166
India
Check all the current processes through ps -auxf | more. It can give you and glimse of the attack that is orinating from the server. Probally someone is scanning the other host for a vulnerability.
 

shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
Hi,

I have used rkhunter and got following message? Is anything need to be fixed?
Any help would be appreicated.


Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]


Also, got this

D5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 3

Scanning took 466 seconds


How do we tack it down?
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,980
156
368
SLC
cPanel Access Level
DataCenter Provider
your server is most likely is not compromised some sort of udp or tcp floooder was uploaded into your tmp dir though a a insecure php script


run a ps auxf and look for somthing running that should not be


my god man if you cant find whats leaving your server hire someone to track it down for you
we cant see it from the forums :)