I have a server running multiple web hosts (all internally managed) which was the subject of what looked like a dos attack last night. I blocked the attacking IP in IPTABLES for both input and output chains. That seemed to solve the problem and I went home.
This morning the server died again - this time it seems from netstat that it was sending multiple SYN's to the attacking IP. Obviously they were dropped by IPTABLES OUTPUT chain, but there were so many in the stack that it failed.
I am worried that the server is sending syn's to the attacker. Presumably it's trying to establish a new outbound connection to the attacker IP on port 80, but why? Does this mean the server is compromised? How can I find what is causing this? I have tried netstat -p but it just shows the owner of the outgoing attempts as httpd.
There are some big sites in the web directory so my attempt at grep'ing for the attacker IP in all the web files would take days.
What to do?
Many thanks in advance....