Results 1 to 7 of 7
  1. #1

    Question Please Please Please Help! Udp Flood?

    I have a dedicated server with oneandone and they have emailed me this:

    The server has been shutdown due to a UDP flood. The server is in rescue mode and locked. Please investigate and remove the exploit. If this is not possible then a re-image is possible

    14:03:12.395452 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395455 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395457 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395459 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395461 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395501 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395503 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395535 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395536 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395537 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395538 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395540 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395573 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395577 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395608 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395610 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395641 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395642 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395644 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395645 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395647 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395648 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395691 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395693 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395728 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395730 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395758 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395759 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395788 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395789 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395818 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395820 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395849 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395850 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395852 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.395879 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1 14:03:12.395910 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.402746 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.404091 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.404488 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.405021 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.405049 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.405076 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.406424 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.406457 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.406515 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.407058 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.407086 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.407113 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1
    14:03:12.407587 IP MYSERVERIP.47306 > 72.64.138.38.59: UDP, length: 1


    They wont help me and my server is in rescue mode so cant do much and not sure where to start. We have AFP installed and secured it up the best we can. Funny thing is that the server was turned off at 13:20:05 and have a pulse report and a text message and the floods they are saying are from 14:03:12. Can anyone please help me becuase oneandone wont pull there fingers out.

    Thanks!
    Kind Regards
    Bill

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Sounds like you need to secure the server better, maybe hire an external admin.

    Check your tmp directorys, ps aux for odd processes, etc.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    May 2005
    Posts
    288
    You might also want to try the following command:
    Code:
    fuser -n udp 47306
    Unless you have some very nasty lkm kit installed, it should show you which process is using the local udp port 47306.

  4. #4
    I have rootkithunter installed from day one and scans every day and not found anything.

    tmp directories seem on nothing in there, but really cant check becuase in recure mode.
    Kind Regards
    Bill

  5. #5
    run "fuser -n udp 47306" and came back with nothing, could this be becuase im in rescue mode.
    Kind Regards
    Bill

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    rkhunter will not pick up the famous udp.pl
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    is there away round this?, can I stop attacks of this nature.
    Kind Regards
    Bill

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •