Results 1 to 7 of 7
-
06-07-2006, 05:43 PM #1Newbie
- Join Date
- May 2005
- Posts
- 27
Please Please Please Help! Udp Flood?
I have a dedicated server with oneandone and they have emailed me this:
The server has been shutdown due to a UDP flood. The server is in rescue mode and locked. Please investigate and remove the exploit. If this is not possible then a re-image is possible
14:03:12.395452 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395455 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395457 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395459 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395461 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395501 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395503 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395535 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395536 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395537 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395538 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395540 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395573 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395577 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395608 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395610 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395641 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395642 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395644 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395645 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395647 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395648 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395691 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395693 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395728 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395730 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395758 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395759 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395788 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395789 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395818 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395820 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395849 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395850 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395852 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.395879 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395910 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.402746 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.404091 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.404488 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.405021 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.405049 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.405076 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.406424 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.406457 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.406515 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.407058 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.407086 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.407113 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
14:03:12.407587 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
They wont help me and my server is in rescue mode so cant do much and not sure where to start. We have AFP installed and secured it up the best we can. Funny thing is that the server was turned off at 13:20:05 and have a pulse report and a text message and the floods they are saying are from 14:03:12. Can anyone please help me becuase oneandone wont pull there fingers out.
Thanks!Kind Regards
Bill
-
06-08-2006, 01:22 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Sounds like you need to secure the server better, maybe hire an external admin.
Check your tmp directorys, ps aux for odd processes, etc.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-08-2006, 01:29 AM #3Web Hosting Guru
- Join Date
- May 2005
- Posts
- 288
You might also want to try the following command:
Code:fuser -n udp 47306
-
06-08-2006, 08:02 AM #4Newbie
- Join Date
- May 2005
- Posts
- 27
I have rootkithunter installed from day one and scans every day and not found anything.
tmp directories seem on nothing in there, but really cant check becuase in recure mode.Kind Regards
Bill
-
06-08-2006, 08:11 AM #5Newbie
- Join Date
- May 2005
- Posts
- 27
run "fuser -n udp 47306" and came back with nothing, could this be becuase im in rescue mode.
Kind Regards
Bill
-
06-08-2006, 09:42 AM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
rkhunter will not pick up the famous udp.pl
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-08-2006, 02:11 PM #7Newbie
- Join Date
- May 2005
- Posts
- 27
is there away round this?, can I stop attacks of this nature.
Kind Regards
Bill