Outbound UDP DOS on VPS

Question

Outbound UDP DOS on VPS

development

forum:pankajbatra 12 years, 7 months ago

Recently I encountered an outbound DOS kind of attack on my linode (running few wordpress blogs and a OSQA wesbite on apache+mysql), where UDP packets were being transferred at a pretty fast rate.

It consumed 50-60 Gigs of bandwidth within one hour.

Linode has raised security alert and asked me to do system migration in case it was a compromise.

I have checked system for most intrusion signs but did not find any evidence.

scanned with Chkrootkit and Rkhunter. There was no exploits found on server.
iptables have been configured to block all ports except sshd and 80.
SSH has been locked down and login is only through SSH keys.
RootLogin is disabled with SSH.
Checked /var/log/auth.log and lastlog for brute force attempts
checked files in /tmp directory.
Check running processes for any suspect.

I saw data being communicated with an IP 209.3.33.161, so added this IP to hosts.deny file to be on safe side.

I suspect that it might be a web script/wordpress plugin. I am still searching for it.

I already have other linode ready to move files onto that. But if there is a file in websites, it may also be copied there and this issue may arise in other linode as well. So I want to be fully sure before copying files to new linode.

Can somebody help in identifying the culprit here?

And as I have little experience with managing server, linode being unmanaged service, should I switch to any managed VPS who can help identify this kind of issues and resolve them.

If yes, can community suggest some good managed VPS under 40$ per month.

4 Replies

forum:empoweringmedia · Answer 1 · Feb. 14, 2012, 12:04 p.m.

forum:empoweringmedia 12 years, 7 months ago

Was the kernel used an old one? Granted UDP packets can be spoofed, but more than likely it came from your instance since it was recorded on the host from their graphs. I would just create a new instance. Make sure your site apps are current and not hacked. Make sure the servies have the latest version based upon your distro.

To answer your second question, you might be able to find a managed provider for $40/mo, but not Xen based like Linode is. To get that price point it must be Virtuozzo based and oversell the host. IMHO should should at least add $100 to that price point to get a fully managed Xen based solution.

forum:pankajbatra · Answer 2 · Feb. 14, 2012, 12:08 p.m.

forum:pankajbatra 12 years, 7 months ago

It was timthumb.php vulnerability. Read more for explanation: http://www.webrevised.com/130-timthumb- … -affected/">http://www.webrevised.com/130-timthumb-php-vulnerability-thousands-of-templates-affected/

This was the script which was uploaded to server due to timthumb.php vulnerability: http://pastebin.com/nVeVMgL4

And it was placed cache directory and executed by attacker whenever he wanted a UDP DOS attack.

forum:sednet · Answer 3 · Feb. 14, 2012, 4:27 p.m.

forum:sednet 12 years, 7 months ago

~~@pankajbatra:~~

It was timthumb.php vulnerability. Read more for explanation: http://www.webrevised.com/130-timthumb- … -affected/">http://www.webrevised.com/130-timthumb-php-vulnerability-thousands-of-templates-affected/

Ouch! That is some nasty vulnerability.

forum:Obsidian · Answer 4 · Feb. 14, 2012, 4:43 p.m.

forum:Obsidian 12 years, 7 months ago

@pankajbatra - for what it's worth, do you have any entries in your access logs with the useragent "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)" ? I've got some logs of this attack being attempted before, and that UA being used by the script used to try to inject it in.

I'm curious as to whether the same UA was used when it was injected onto your own system.

Compute

Storage

Databases

Networking

Developer Tools

Delivery

Security

Services

Industries

Pricing

Community

Engage With Us

Outbound UDP DOS on VPS

4 Replies

Reply

Tips: