On Tue, Feb 23, 2010 at 11:46 AM, Paul Stewart
wrote:
> The problem is that a user on this box appears to be launching high
> traffic DOS attacks from it towards other sites. These are UDP based
> floods that move around from time to time - most of these attacks only
> last a few minutes.
Do the
On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote:
> Once upon a time, Matt Sprague said:
> > The user could also be running the command inline somehow or deleting
> > the file when they log off. Check who was logged onto the server at
> > the time of the attack to narrow down your sea
On 2/23/2010 5:38 PM, Nathan Ward wrote:
Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely
to not work if there's a rootkit on the box. The whole point of a rootkit is to
hide processes and files from these tools.
Get some statically linked versions of these bins o
The problem is that a user on this box appears to be launching high
traffic DOS attacks from it towards other sites. These are UDP based
floods that move around from time to time - most of these attacks only
last a few minutes.
Maybe it's not 'malicious' at all. For instance, is there a Bitt
al Message-
From: Chris Adams [mailto:cmad...@hiwaay.net]
Sent: Tuesday, February 23, 2010 2:56 PM
To: Matt Sprague
Cc: nanog@nanog.org
Subject: Re: Security Guideance
Once upon a time, Matt Sprague said:
> The user could also be running the command inline somehow or deleting
> the file
Why does there need to be blame? Diagnose the problem, fix the problem, move
on with life. Someone made a mistake, learn from it, move on.
--
Joel Esler
joel.es...@me.com
http://www.joelesler.net
On Tuesday, February 23, 2010, at 05:13PM, wrote:
>On Tue, 23 Feb 2010 11:27:21 -1000, Nate Itk
On 2/23/10 9:46 PM, Paul Stewart wrote:
Hi folks...
We have a strange series of events going on in the past while Brief
history here, looking for input from the community - especially some of
the security folks on here.
If you can't discover the malware using methods available to you, are
> The problem is that a user on this box appears to be launching high
> traffic DOS attacks from it towards other sites. These are UDP based
> floods that move around from time to time - most of these attacks only
> last a few minutes.
>
>
>
> I've done tcpdumps within seconds of the attack sta
Just figured I might add a little direction to this.
1. If its a production system that impacts several users/customers your best
bet would be to rebuild the system from scratch, not an image. Yes takes
time, but investigating it will likely take longer. As you previously
mentioned the folk(s)
Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely
to not work if there's a rootkit on the box. The whole point of a rootkit is to
hide processes and files from these tools.
Get some statically linked versions of these bins on to the server, and hope
they haven't pat
On Tue, 23 Feb 2010 11:27:21 -1000, Nate Itkin said:
> On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote:
> > The problem is that a user on this box appears to be launching high
> > traffic DOS attacks from it towards other sites.
>
> It's possible the user inadvertently enabled the sam
On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote:
> The problem is that a user on this box appears to be launching high
> traffic DOS attacks from it towards other sites.
It's possible the user inadvertently enabled the same exploit after you
rebuilt the system. I suggest caution with
plesk on freenode for a wealth of Plesk
security knowledge. Hope this helps
Joe Conlin
Access Northeast
jcon...@axsne.com
www.axsne.com
"Your Partner for IP Network Solutions"
-Original Message-
From: Paul Stewart [mailto:pstew...@nexicomgroup.net]
Sent: Tuesday, February 23, 2010 2
Once upon a time, Matt Sprague said:
> The user could also be running the command inline somehow or deleting
> the file when they log off. Check who was logged onto the server at
> the time of the attack to narrow down your search. I like the split
> the users idea, though it could be several i
> What tools/practices do others use to resolve this issue?
use lsof, should be able to show you consumption of network socket
resources by process (and hence user, hopefully)
Dave.
On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote:
> Hi folks...
>
>
>
> We have a strange series of events going on in the past while Brief
> history here, looking for input from the community - especially some of
> the security folks on here.
>
>
>
> We provide web hosting se
b 23, 2010 at 02:39:41PM -0600, Dan White wrote:
> Date: Tue, 23 Feb 2010 14:39:41 -0600
> From: Dan White
> To: Ronald Cotoni
> Subject: Re: Security Guideance
> Cc: nanog@nanog.org
>
> On 23/02/10 15:19 -0500, Ronald Cotoni wrote:
> >Quick suggestion BUT you may w
On 23/02/10 15:19 -0500, Ronald Cotoni wrote:
Quick suggestion BUT you may want to have Parallels look into it if
you can't seem to find it since you pay for the support anyways. You
may also want to check to see if it is a cron job that is doing it (if
the machine was root kitted, you may have
> The user could also be running the command inline somehow or deleting the
> file when they log off.
"wiretapping" your SSHd is one way to find out what people are up to
http://forums.devshed.com/bsd-help-31/logging-ssh-shell-sessions-30398.html
Also .. if you have the resources, a passive
Place an ids in front of the server and write a rule for the traffic
signature.
Paul B.
Sent with Android
On Feb 23, 2010 3:25 PM, "Matt Sprague" wrote:
The user could also be running the command inline somehow or deleting the
file when they log off. Check who was logged onto the server at th
.
-Original Message-
From: Ronald Cotoni [mailto:seti...@gmail.com]
Sent: Tuesday, February 23, 2010 3:20 PM
To: Paul Stewart
Cc: nanog@nanog.org
Subject: Re: Security Guideance
Quick suggestion BUT you may want to have Parallels look into it if
you can't seem to find it since you pay fo
Quick suggestion BUT you may want to have Parallels look into it if
you can't seem to find it since you pay for the support anyways. You
may also want to check to see if it is a cron job that is doing it (if
the machine was root kitted, you may have accidentally copied a cron
job over. Another su
Hi folks...
We have a strange series of events going on in the past while Brief
history here, looking for input from the community - especially some of
the security folks on here.
We provide web hosting services - one of our hosting boxes was found a
while back with root kits installed, u
23 matches
Mail list logo
