Server Abuse

Discussion in 'General' started by godsdog, Oct 1, 2006.

  1. godsdog

    godsdog New Member

    Hi. I'm positive that certain users are abusing the bandwidth and perhaps have compromised the server for other uses. I notice a huge amount of bandwidth being consumed by the server and when I do a netstat, I notice things like numerous ircd, tr-rsrb-p1 connections and a huge ammount of http connections from the same IP (or extreamly similar on the same subnet)
    It takes about 3 minutes to perform a netstat > list.txt command. Beleive me, it's not a slow server...until now.

    Where should I start? I'm a little taken that the firewall has no effect on these connections.
     
  2. godsdog

    godsdog New Member

    Here is an example of what I see in my netstat
    over 200 occurances of
    Code:
    tcp        0      0 webserver.bcsolutions:60859 realmadrid.pl:ircd          CLOSE_WAIT  5784/-bash
    and maybe 200 occurance of
    Code:
    tcp        0    178 webserver.bcsolutions:44205 88.84.148.137:tr-rsrb-p1    LAST_ACK    -      
    These are only two of the absolute worst examples. This is normally a pretty quiet corner of the internet. I was having lots of fun killing the processes for a while, but they still always seem to come back.
     
    Last edited: Oct 1, 2006
  3. godsdog

    godsdog New Member

    Well, I turned if off for a few hours and it seems that they've all went away (who knows for how long) It's too bad these domains have to lose service for so long just to regain control. I still want to know how to prevent this from happening. I've got netstat outputs if it's any help.

    >edit<

    I am now performing commands like the following...is this effective? And if so, how to I block the realmadrid.pl?
    Code:
    iptables -A INPUT -s  64.233.167.99 -j DROP
     
    Last edited: Oct 2, 2006
  4. godsdog

    godsdog New Member

    Well, I don't have to turn off the webserver in order to get on the net anymore so I'm guessing the iptables command has saved the day. I hope this thread comes in handy for anyone else battling wannabe hackers. This has made me think a little more seriously about passwords and other stuff.

    Does anyone have any other suggestions for preventing and blocking or maybe even more on what and where to look for stuff regarding security? Thanks for anything else. It's been quite a day and I could have used a tip or two. Oh well, onward and upward. Cheers!
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    These are the typical symtoms for a insecure PHP or CGI script that allows remote commad executions. Please check that all forums and CMS systems like phpbb and mabo are patched and up to date on your server. Enable PHP safemode in all sites where it is possible without breaking the installed PHP scripts.
     
  6. sjau

    sjau Local Meanie Moderator

    If the server truly has been compromised there's only one thing to do:

    Total reinstall - as you can never be sure what's on the server... what was altered.... just have a go... if you notice unusual behaviour again then you might consider to do that.
     
  7. godsdog

    godsdog New Member

    Thanks for the advice on Safe Mode. I'll google up some literature on it. I've always seen it but never understood what it does.
    Yesterday the server was using all bandwidth avaliable and locking up our network for internet access which made me think they were hosting files or something, but ever since I've banned their IP addresses, it's back to normal. I'm definitly taking the log files seriously and am ashamed to admit it but things started getting a little wonky last week. I'll know better next time.
     
  8. sjau

    sjau Local Meanie Moderator

    Install chkrootkit and rkhunter (Howtos in the howto section) and see if they find somethinge :)
     

Share This Page