K
kcjames
Guest
We appear to have a script or something on the system that is allowing someone to send out large amounts of UDP packets directed to various target IPs.
I have been logging the tcp data to find the destination IP and blocking it in iptables, but this is only a patch and not fixing the problem.
I have grep'd logs until I can't see straight and have been unable to nail down the offender. I am 99% sure it is perl or php related since when the packets start flowing the perl process jumps to 99.9%.
I have chmod'd ping and traceroute so they are not executable, but that doesn't seem to have fixed the problem.
Needless to say when the server starts doing this it floods our backbone connection and causes all sorts of routing issues. Thankfully it is only lasting for a few minutes at a time, then the guy gives up for several hours.
Anyone have any ideas on how I can find what perl script is doing this or how I can prevent the UDP outflow?
I am not sure what ports it is targetting because my tcpdumps weren't in verbose, that has changed so hopefully I can catch them on the next attack.
Watchdog scans find no vulnerabilities on the server. the server is pretty restricted, user don't have shell access and php is restricted to one user and by IP, in addition to iptables rules preventing access to all non-essential ports and services.
I have been logging the tcp data to find the destination IP and blocking it in iptables, but this is only a patch and not fixing the problem.
I have grep'd logs until I can't see straight and have been unable to nail down the offender. I am 99% sure it is perl or php related since when the packets start flowing the perl process jumps to 99.9%.
I have chmod'd ping and traceroute so they are not executable, but that doesn't seem to have fixed the problem.
Needless to say when the server starts doing this it floods our backbone connection and causes all sorts of routing issues. Thankfully it is only lasting for a few minutes at a time, then the guy gives up for several hours.
Anyone have any ideas on how I can find what perl script is doing this or how I can prevent the UDP outflow?
I am not sure what ports it is targetting because my tcpdumps weren't in verbose, that has changed so hopefully I can catch them on the next attack.
Watchdog scans find no vulnerabilities on the server. the server is pretty restricted, user don't have shell access and php is restricted to one user and by IP, in addition to iptables rules preventing access to all non-essential ports and services.