Results 1 to 15 of 15
  1. #1
    Join Date
    May 2007
    Posts
    223

    Server being Attacked?

    I'm suddenly seeing lots of SYN_SENT status in my tcptrack window.. It started out a client reporting sluggish or lag on the server.. I did a tcptrack -i eth0 and this came out

    Client Server State Idle A Speed
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 10s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 6s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 2s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 26s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 3s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 10s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 15s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 20s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 23s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 13s 0 B/s
    xx.xx.xx.xx:xxxx 212.117.161.90:2710 SYN_SENT 16s 0 B/s
    TOTAL 1 B/s
    Connections 1-30 of 47026 Unpaused Unsorted

    I removed the client IPs.. they were all different.. The Server IPs are all the same.. Shouldn't one of those IPs be My server though? either client or server.. else why would it appear in the list? The 212.117.161.90 is the same IP I saw last night.. but its not always the same.. its also changed to 195.26.5.2 and 91.214.44.96.. And on port 80 too. I've added 212.117.161.90 to my iptables so it drops the packets.. but is this an attack? (I don't know why though... i've never had an upset customer. And.. what can I do to stop it?

    edit: Now that i look at the tcptrack while its not having all those connections.. i still see times when both IPs are not the servers.. I don't understand obviously how to read tcptrack?

  2. #2
    Join Date
    May 2007
    Posts
    223
    Hmm - even after adding that IP to my iptables, it still keeps coming back.

    This is my entry in the IP tables for it..
    Code:
    $ iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  tracker.bitreactor.to  anywhere
    note - thats what the IP address resolves too.. but there are no bittorrent clients installed on my server.. this is not a seedbox

  3. #3
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,967
    Moved > Technical & Security Issues.
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  4. #4
    Join Date
    May 2007
    Posts
    223

    Extra Info required

    never noticed this forum topic before

    To answer the questions required

    Linux OS: Debian Lenny
    Kernel Version(uname -r): 2.6.28.9
    Hardware Information: N/A
    Software Version(if it is a specific peice of software causing problems) N/A
    Control Panel(if any) None
    A "ps -auxf" and/or a "top"(if possible)
    vmstat 5 5(if possible)
    Log File(s) - Any special ones needed? There isn't anything in auth, kern, or syslog during these incidents


    ps auxf (I tried posting TOP.. but it looks impossible to read every time)

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.09.03 09:32:45 =~=~=~=~=~=~=~=~=~=~=~=
    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 2 0.0 0.0 0 0 ? S< Aug26 0:00 [kthreadd]
    root 3 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [migration/0]
    root 4 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [ksoftirqd/0]
    root 5 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [migration/1]
    root 6 0.0 0.0 0 0 ? S< Aug26 0:11 \_ [ksoftirqd/1]
    root 7 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [events/0]
    root 8 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [events/1]
    root 9 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [khelper]
    root 13 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kstop/0]
    root 14 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kstop/1]
    root 118 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kblockd/0]
    root 119 0.0 0.0 0 0 ? S< Aug26 0:04 \_ [kblockd/1]
    root 120 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kacpid]
    root 121 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kacpi_notify]
    root 192 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [ata/0]
    root 193 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [ata/1]
    root 194 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [ata_aux]
    root 196 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kseriod]
    root 255 0.0 0.0 0 0 ? S Aug26 0:48 \_ [pdflush]
    root 256 0.0 0.0 0 0 ? S Aug26 0:34 \_ [pdflush]
    root 257 0.0 0.0 0 0 ? S< Aug26 2:30 \_ [kswapd0]
    root 258 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [aio/0]
    root 259 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [aio/1]
    root 260 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [nfsiod]
    root 262 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [xfs_mru_cache]
    root 263 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [xfslogd/0]
    root 264 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [xfslogd/1]
    root 265 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [xfsdatad/0]
    root 266 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [xfsdatad/1]
    root 288 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [cryptd]
    root 920 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [bond0]
    root 940 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_tgtd/0]
    root 941 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_tgtd/1]
    root 946 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_0]
    root 948 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_1]
    root 950 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_2]
    root 952 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_3]
    root 954 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_4]
    root 956 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [scsi_eh_5]
    root 992 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [kstriped]
    root 1000 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [rpciod/0]
    root 1001 0.0 0.0 0 0 ? S< Aug26 0:00 \_ [rpciod/1]
    root 1008 0.0 0.0 0 0 ? S< Aug26 1:01 \_ [kjournald]
    root 1254 0.0 0.0 0 0 ? S< Aug26 0:01 \_ [kjournald]
    root 1 0.0 0.0 2096 644 ? Ss Aug26 0:00 init [2]
    daemon 1417 0.0 0.0 1888 484 ? Ss Aug26 0:00 /sbin/portmap
    root 1603 0.0 0.0 1812 620 ? Ss Aug26 0:00 /sbin/syslogd
    root 1612 0.0 0.0 1760 412 ? Ss Aug26 0:00 /sbin/klogd -x
    root 1624 0.0 0.0 5412 916 ? Ss Aug26 0:00 /usr/sbin/sshd
    root 27256 0.0 0.0 8308 2732 ? Ss 14:26 0:00 \_ sshd: [email protected]
    root 27261 0.0 0.0 4992 1624 ? Ss 14:26 0:00 | \_ /usr/lib/openssh/sftp-server
    root 27265 0.0 0.0 8312 2712 ? Ss 14:27 0:00 \_ sshd: [email protected]/0
    root 27269 0.0 0.0 4504 1700 pts/0 Ss 14:27 0:00 | \_ -bash
    root 27470 0.0 0.0 3916 972 pts/0 R+ 15:32 0:00 | \_ ps auxf
    root 27363 0.0 0.0 8308 2732 ? Ss 14:48 0:00 \_ sshd: [email protected]
    root 27367 0.0 0.0 4996 1628 ? Ss 14:48 0:00 \_ /usr/lib/openssh/sftp-server
    root 1667 0.0 0.0 2828 1256 ? S Aug26 0:00 /bin/sh /usr/bin/mysqld_safe
    mysql 1706 0.0 0.3 128528 13008 ? Sl Aug26 0:00 \_ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-
    root 1707 0.0 0.0 1744 528 ? S Aug26 0:00 \_ logger -p daemon.err -t mysqld_safe -i -t mysqld
    104 2056 0.0 0.0 6268 824 ? Ss Aug26 0:00 /usr/sbin/exim4 -bd -q30m
    root 2090 0.0 0.0 3268 408 ? Ss Aug26 0:00 /usr/sbin/famd -T 0
    root 2128 0.0 0.0 3700 956 ? Ss Aug26 0:00 /usr/sbin/cron
    iroffer 2205 0.5 0.1 12044 4424 ? R Aug26 66:50 ./iroffer -b 1.config
    iroffer 2208 0.3 0.0 9408 1736 ? S Aug26 34:30 ./iroffer -b configs/2.config
    iroffer 2210 0.0 0.0 9932 2200 ? S Aug26 3:09 ./iroffer -b 3.config
    iroffer 2212 0.0 0.0 9276 1460 ? S Aug26 0:08 ./iroffer -b 4.config
    iroffer 2218 0.0 0.0 9284 1600 ? S Aug26 7:32 ./iroffer -b 5.config
    iroffer 2221 0.0 0.0 9588 2016 ? S Aug26 1:49 ./iroffer -b 6.config
    iroffer 2224 0.1 0.0 9276 1584 ? S Aug26 13:46 ./iroffer -b 7.config
    root 2226 0.0 0.1 7820 4960 ? Ss Aug26 0:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
    root 2227 0.0 0.0 1760 484 tty1 Ss+ Aug26 0:00 /sbin/getty 38400 tty1
    root 2228 0.0 0.0 1760 484 tty2 Ss+ Aug26 0:00 /sbin/getty 38400 tty2
    proftpd 20238 0.0 0.0 6976 1268 ? Ss Sep01 0:00 proftpd: (accepting connections)
    iroffer 21781 0.0 0.0 9232 1500 ? S Sep01 1:40 ./iroffer -b 8.config
    www-data 26383 0.0 0.0 5952 1736 ? S 06:25 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
    www-data 26384 0.0 0.1 15760 4252 ? Ss 06:25 0:00 \_ /usr/bin/php5-cgi
    www-data 26395 0.0 0.0 15760 1708 ? S 06:25 0:00 | \_ /usr/bin/php5-cgi
    www-data 26389 0.0 0.1 15760 4256 ? Ss 06:25 0:00 \_ /usr/bin/php5-cgi
    www-data 26393 0.0 0.0 15760 1712 ? S 06:25 0:00 | \_ /usr/bin/php5-cgi
    www-data 26390 0.0 0.1 15760 4260 ? Ss 06:25 0:00 \_ /usr/bin/php5-cgi
    www-data 26394 0.0 0.0 15760 1716 ? S 06:25 0:00 | \_ /usr/bin/php5-cgi
    www-data 26391 0.0 0.1 15760 4256 ? Ss 06:25 0:00 \_ /usr/bin/php5-cgi
    www-data 26392 0.0 0.1 16320 4200 ? S 06:25 0:01 \_ /usr/bin/php5-cgi
    VMSTAT 5 5
    $ vmstat 5 5
    procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
    r b swpd free buff cache si so bi bo in cs us sy id wa
    0 0 0 120204 22372 3899052 0 0 3 22 17 11 0 1 98 1
    0 0 0 122588 22368 3896804 0 0 692 13 6015 1045 0 1 99 0
    0 0 0 124104 22352 3894496 0 0 691 0 6026 902 0 1 99 0
    0 0 0 122264 22360 3897104 0 0 512 3 5506 905 0 1 99 0
    0 0 0 123804 22368 3894652 0 0 666 3 5963 1055 0 1 99 0

  5. #5
    Join Date
    May 2007
    Posts
    223
    Is this a Syn flood attack?
    Would "echo 1 > /proc/sys/net/ipv4/tcp_syncookies"

    help me? And... if this caused impact to my clients - how would I disable that?

  6. #6
    Join Date
    Sep 2007
    Location
    New York, NY
    Posts
    109
    Quote Originally Posted by Lenihan View Post
    Is this a Syn flood attack?
    Would "echo 1 > /proc/sys/net/ipv4/tcp_syncookies"

    help me? And... if this caused impact to my clients - how would I disable that?
    If it is a syn flood then yes, enabling syncookies would help significantly depending on the size of the attack. It won't affect your clients but if you wanted to disable it just run the same command above replacing 1 with 0. You'll also want to enable syncookies in sysctl.conf so it is not set back to it's default value of 0 (off) upon reboot.

    As for actually determining if it is a syn flood I would start by running:
    netstat -ant | grep SYN_RECV | wc -l
    Last edited by Bob Shannon; 09-03-2009 at 07:04 PM.
    cPanelDesigns - High Quality & Mobile Ready cPanel Themes

  7. #7
    Join Date
    May 2007
    Posts
    223
    Thats why I'm confused though - when i run
    netstat -ant | grep SYN_RECV | wc -l
    i get 0.. but.. when i check
    tcptrack -i eth0 one time there were over 60,000 connections from one Ip in status SYN_SEND.. (none in SYN_RECV)

  8. #8
    Join Date
    Sep 2007
    Location
    New York, NY
    Posts
    109
    If the packets are being sent from your server to those unknown IP's, it sounds more like some sort of trojan on your server rather than someone targeting you with a flood.
    cPanelDesigns - High Quality & Mobile Ready cPanel Themes

  9. #9
    Join Date
    May 2007
    Posts
    223
    When I do a netstat -antop I can't find those Ips or any reference to the port.. Should I see a PID associated with the IP:port attempt?

    The only place i can find those IP addresses listed is via tcptrack.. is there another command I can run that can tell me what they are doing?
    When I do a
    "netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n"
    they don't show up there either

    if I run Rkhunter or Chkrootkit - will it cause an outage at all? It won't break off connections or anything right?

  10. #10
    Join Date
    May 2007
    Posts
    223
    i ran rkhunter - 4 warnings - but no trojans..
    Warnings were on unhide, unhide-linux26, root ssh access, and Checking kernel module commands.. Everything else came back clean

    chkrootkit came back clean
    Last edited by Lenihan; 09-03-2009 at 08:30 PM.

  11. #11
    Join Date
    May 2007
    Posts
    223
    One last thing.. when I'm doing the tcptrack -i eth0.. i'm doing it in promiscuous mode.. when i use the -p so its not in promiscuous mode.. it looks normal (unless it stopped for while.... )

  12. #12
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by Lenihan View Post
    Code:
    $ iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  tracker.bitreactor.to  anywhere
    Null-route it :

    # ip route add blackhole 212.117.161.90
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  13. #13
    Join Date
    May 2007
    Posts
    223
    I'll try that on the IPs that come up - thanks

  14. #14
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Note that if your server has connections with a tracker, it's very likely it has been compromised !
    Netstat command could have been compromised as well but as it is only a /proc/net frontend you can check TCP connections that way :

    Code:
    # cat /proc/net/tcp
    Looking for IP 212.117.161.90 (network byte order notation) :

    Code:
    # cat /proc/net/tcp | grep '5AA175D4'
    For UDP connections :

    Code:
    # cat /proc/net/udp | grep '5AA175D4'
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  15. #15
    Join Date
    May 2007
    Posts
    223
    Hi - I did those commands.. and nothing came back.
    The IP isn't always the tracker.. There are multiple IPs that it comes from - but.. why do they show up only when running tcptrack in promiscuous mode?

Similar Threads

  1. Server is being attacked! help :(
    By surf1punk in forum Hosting Security and Technology
    Replies: 9
    Last Post: 07-02-2009, 07:15 PM
  2. Is my server being attacked? Please help.
    By Chonanis in forum Hosting Security and Technology
    Replies: 7
    Last Post: 12-26-2008, 08:55 AM
  3. server attacked
    By netedgetech in forum Hosting Security and Technology
    Replies: 20
    Last Post: 07-17-2008, 09:29 AM
  4. server is being attacked
    By Cyberkiller in forum Hosting Security and Technology
    Replies: 1
    Last Post: 06-20-2007, 07:28 AM
  5. How Do i Know if my server is getting attacked
    By abdallah in forum Dedicated Server
    Replies: 16
    Last Post: 09-30-2003, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •