Server compromised | DDOS agent - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Server compromised | DDOS agent

Server compromised | DDOS agent

Posted by p-root, 09-16-2011, 01:22 AM
Hi, It's very embracing to tell you that might be my system has been compromised and some one used my system to send DDOS to another system,i have already implemented all the security features on my server. Now i have blocked both IN/Out connection on that certain ip address,but still i don't have the clue,my this server is a shared hosting server. Please do the need ful and let me know how i can find the clue,who did this from server. ----------------------------------------------------------------------- Sep 15 22:26:09 server kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=myipaddress DST= remoteipaddress LEN=8220 TOS=0x00 PREC=0x00 TTL=64 ID=28358 PROTO=UDP SPT=57119 DPT=34539 LEN=8200 ------------------------------------------------------------------------
Posted by BeZazz, 09-16-2011, 01:42 AM
In all honesty you really need to hire someone to look into this for you.
Posted by p-root, 09-16-2011, 02:12 AM
Hi, Thanks BeZazz....i want to know how i can check who is responsible for the same in shared hosting server. Thanks, P-root
Posted by p-root, 09-16-2011, 03:08 AM
Hi, I have checked that this is UDP Flood DOS(outgoing),i have limit the outbound flow rate of UDP packets with the following commands: /sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT /sbin/iptables -A OUTPUT -p udp -j DROP Thanks, Punit Dambiwal
Posted by brianoz, 09-16-2011, 09:25 AM
There's no fixed answer; you really need to get someone to look at the server for you.
Posted by ethicalmohit, 09-16-2011, 11:43 AM
Yes I also Think You Should Hire Some Security Professional To Firewall This Type Of Issues.
Posted by jaydul, 09-16-2011, 01:02 PM
you need add hardware Firewall can protect your server and optimize your server.why cannot ask your DC? Thank you
Posted by ssfred, 09-17-2011, 06:01 AM
Hello DDOS prevention is a tricky one. You need to block the outgoing traffic using HW firewall to avoid blacklisting of the server. Then the server needs to be analyzed by an expert to identify the origin of the attack.
Posted by Steven, 09-17-2011, 08:51 PM
You limited, but you did nothing to fix the problem. Your still hacked.
Posted by IPSecureNetwork, 09-19-2011, 11:31 PM
maybe you must check your procces ... check httpd process particulary check for parent and child PIDS sometimes a perl its a problem. i recommend you .. run rkhunter .. or any rootkit checker.
Posted by p-root, 09-20-2011, 12:50 AM
Hi, Thanks...all,let me check...i will let you know about my findings.
Posted by LinuxSecurityExpert, 09-20-2011, 04:20 AM
Hi p-root, There are lots of precautions that you can take, for instance, configure your outbound firewall rules to only allow connections from users that are allowed to create connections. For example, many hacked servers are hacked through some PHP exploit, and the attacker must download their toolkit by making in outbound HTTP connection. Since the attacker would only have access credentials as the user running as your Web server, they would not have been able to download the remote exploit, and it may have thwarted the entire attack vector. You could also make your web document root read-only by the Web server user. Since most attacks require modifying a file in the web root, this is also a very effective countermeasure for production servers. I would need a lot more information than you can provide on the forum -- and probably information you would not wish to post a forum. PM me if you wish to hire professional help, this is the type of thing that I'm good at! Cheers, -- Eric

Add to Favourites Print this Article