So I got an abuse complaint for one of my dedicated servers, running Debian 6.0
Sure enough, sometimes, top
shows /usr/bin/host
using a lot of CPU for no apparent reason, and netstat shows process host
doing a lot of HTTP requests.
After while, my syslog even says nf_conntrack: table full, dropping packet.
, which i assume has something to do with this matter.
I have verified the executable /usr/bin/host
using debsums, and is seems to be fine, too. The server as such is 100% updated, too.
So i am guessing something is somehow calling my host
executable and coercing it to do HTTP requests for some DDoS.
I could of course simply hack together a script to killall host
as soon as this is happening, but I would really like to know where the problem originates from.
I am checking the Apache logs for interesting entries around the time that host
is starting to do its requestst, but haven’t found anything yet.
Anyone have a recommendation on what else to do? How can I see who and what called 'host'?
Google didnt show up any examples of /usr/bin/host
being abused, at all!