2

Possible Duplicate:
My server's been hacked EMERGENCY

We have a remote Linux (Debian) server, which is, apparently, being used as a platform to commit a DoS attack. We have been warned by the company hosting our server that we have a large amount of outgoing traffic from that server.

What I want to know is: how can I track, and eventually kill, the process which is causing this large amount of traffic?

I've played around with something like this before but it was a while ago and I think I remember using 'lsof' to track the process. However, lsof isn't installed on this server and, having never installed anything on Linux before, I don't really know how to install it.

I'd appreciate any advice or guidance on this matter but the main question is basically how do I track the malicious process?

Community
  • 1
bobble14988
  • 235
  • 2
  • 8

2 Answers2

2

Well, honestly if you aren't sure of how to install software on your system you might consider hiring someone to take care of this for you. Tracking down malware like this can be quite tricky, it often tries to hide as a legitimate process.

Also, you need to locate the hole through which the software was installed, which is another matter entirely. It probably means you need to secure your software/machine a bit more.

If you still want to attempt this yourself, I'd suggest shutting down all the legitimate services you know about, and seeing what remains. Maybe check the output of 'netstat -anp', this should give you the process ID of anything using the network.

It's also possible that someone has uploaded a PHP DOS tool, and is attacking through that. If that's the case, you would need to examine all your web directories. A tool like maldet might help you. If this is the case, the attack would appear to be coming from your legitimate Apache process.

devicenull
  • 5,572
  • 1
  • 25
  • 31
1

For the general case, nethogs is great for viewing bandwidth usage by process. For your specific case, take devicenull's advice.

sciurus
  • 12,493
  • 2
  • 30
  • 49