0

My web host has informed me that my Fedora server is the source of an outbound DDoS attack on somebody. The web host didn't give any other information. How can I find out what process is doing the attack so that I can stop it? I realize this is vague but I think if I can view outbound traffic in some way I might be able to find the process that is sending it.

I appreciate I will need to find the point of entry once I have stopped the attack, and likely will need to re-image the server with updates.

Thanks in advance.

Jason
  • 1
  • 1
  • 1

2 Answers2

1

You could use something like iptraf (available in a repo near you). This will tell you which ports are being used on your system and at what rate. Once you know which ports are being used you can then use netstat to find the process attached to each port. So if for example you identify that your port 6666 is active you can use

netstat -tunp | grep 6666
tcp   0  77352 192.168.254.188:56405  192.168.254.181:6666   ESTABLISHED 30072/nc

As you can see in this demo pid 30072 is using the port.

user9517
  • 114,104
  • 20
  • 206
  • 289
0

Please note that you may find nothing at all. There is a chance that your system has been compromised and the tools you are using don't give the correct answers they should. Even using the system for further analysis could lead to more problems if there's a backdoor and you are entering your passwords for example.

The only solution is to shut down the server and consider it being compromised. If you want to find the source in a safe way you'd had to examine the system in an isolated environment.

Kai Bojens
  • 158
  • 3
  • Good points, unfortunately it is hosted by a web host, the only way I can access it is via the Internet (no physical access), and I really want to eventually find the entry point if I can so that I can prevent it happening again. – Jason Mar 15 '13 at 15:56