View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Outbound UDP DOS on VPS
Log in to Ask a Question

Outbound UDP DOS on VPS

development

Recently I encountered an outbound DOS kind of attack on my linode (running few wordpress blogs and a OSQA wesbite on apache+mysql), where UDP packets were being transferred at a pretty fast rate.

It consumed 50-60 Gigs of bandwidth within one hour.

Linode has raised security alert and asked me to do system migration in case it was a compromise.

I have checked system for most intrusion signs but did not find any evidence.

  • scanned with Chkrootkit and Rkhunter. There was no exploits found on server.

  • iptables have been configured to block all ports except sshd and 80.

  • SSH has been locked down and login is only through SSH keys.

  • RootLogin is disabled with SSH.

  • Checked /var/log/auth.log and lastlog for brute force attempts

  • checked files in /tmp directory.

  • Check running processes for any suspect.

I saw data being communicated with an IP 209.3.33.161, so added this IP to hosts.deny file to be on safe side.

I suspect that it might be a web script/wordpress plugin. I am still searching for it.

I already have other linode ready to move files onto that. But if there is a file in websites, it may also be copied there and this issue may arise in other linode as well. So I want to be fully sure before copying files to new linode.

Can somebody help in identifying the culprit here?

And as I have little experience with managing server, linode being unmanaged service, should I switch to any managed VPS who can help identify this kind of issues and resolve them.

If yes, can community suggest some good managed VPS under 40$ per month.

4 Replies

Was the kernel used an old one? Granted UDP packets can be spoofed, but more than likely it came from your instance since it was recorded on the host from their graphs. I would just create a new instance. Make sure your site apps are current and not hacked. Make sure the servies have the latest version based upon your distro.

To answer your second question, you might be able to find a managed provider for $40/mo, but not Xen based like Linode is. To get that price point it must be Virtuozzo based and oversell the host. IMHO should should at least add $100 to that price point to get a fully managed Xen based solution.

It was timthumb.php vulnerability. Read more for explanation: http://www.webrevised.com/130-timthumb- … -affected/">http://www.webrevised.com/130-timthumb-php-vulnerability-thousands-of-templates-affected/

This was the script which was uploaded to server due to timthumb.php vulnerability: http://pastebin.com/nVeVMgL4

And it was placed cache directory and executed by attacker whenever he wanted a UDP DOS attack.

@pankajbatra:

It was timthumb.php vulnerability. Read more for explanation: http://www.webrevised.com/130-timthumb- … -affected/">http://www.webrevised.com/130-timthumb-php-vulnerability-thousands-of-templates-affected/

Ouch! That is some nasty vulnerability.

@pankajbatra - for what it's worth, do you have any entries in your access logs with the useragent "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)" ? I've got some logs of this attack being attempted before, and that UA being used by the script used to try to inject it in.

I'm curious as to whether the same UA was used when it was injected onto your own system.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct