I've been reading forums all day long, I've been hosting account for my client and just today received an e-mail from another company stating that the IP my server is on has been sending Dissuasion on Denial-Of-Service attacks (DDOS), been attacking their side. Now I know, that I'm not running nothing of that sort, it might be easily one of the clients.
If someone could help, I just have one simple question if there is a command or some way that I could check who is running this or running some sort of script etc.
Well, usually when your server is sending DDOS attacks out that is not good, most of the time you server could be compromised, have you checked your /tmp, /var/tmp, /var/spool/mail? those are common hiding spots for malicious files. Do you have an old kernel on the box? Have you installed any security mesures? Do you give your clients ssh access?
For Unix-based systems, this should include the following:
* Disable telnet.
* Limit SSH access to specific IP addresses.
* Disable direct root login.
* Remove unnecessary packages / software.
* Harden the kernel against synflood and basic DOS attacks.
* Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
* Ensure /tmp is in its own partition with noexec, nosuid.
* Ensure kernel and software is up to date.
* Remove unnecessary users and groups.
* Install chkrootkit, logwatch, tripwire.
* Install a firewall, and port scan detector.
* For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and common applications.
* Secure DNS Servers
* Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting your servers
It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.