Last Sunday I had a new customer sign up to our Linux Server Management company and one of the issues they were receiving was bandwidth overages for continual outbound DoS attacks their system was performing but they were unable to track.

So in effort to find the initial cause of this with no real data to work from I had a search around the system for the usual suspects but couldn’t find any particular culprit. Manually inspecting nearly 2 million files was not an option so opted to carry on with the usual setup and enforced posix ACL’s against the apache user and setup some more explicit bandwidth monitoring to obtain data when an attack was occurring.

A few hours later an alert came in that the outbound bandwidth exceeded the threshold so I promptly begin investigating, The process list doesn’t seem to show any obvious usual culprits. After spending a few minutes with iftop and tcpdump I identified the targeted IP and that the traffic was being directed to a DNS server (port 53). I filtered traffic to this IP while investigating the source, as there was no unusual processes I decided to have alook at the apache status and found the GET request containing the destination IP and port (xxx.php?target=xx.xx.xx.xx&port=53).

I got the vhosts path from the httpd.conf and reviewed the file and it looks like a simple php script to perform a UDP flood to the target,

$sock=socket_create(AF_INET,SOCK_DGRAM,SOL_UDP);

while(true)
{
if(!socket_sendto($sock,$data,strlen($data),0,$target,$port)) die("Error SendTo!!!");
}


That is a snippet of it. It is very unusual to see these PHP based which is the reason for this blog entry and a definite new addition to the search list.

For those of you interested the customer already had MRTG installed and below is the last week which shows the attack saturating the uplink (100Mbit) when it was occurring but has since been stopped.

apache status, bandwidth graph, bandwidth network monitor, cacti, cacti graphs, cacti monitoring, mrtg graphs, outbound dos, outbound firewall, php ddos, php dos, posix acl, server management, traffic graph, udp.pl Hide

Tired of paying someone to setup your server? Want a quick way to setup thousands of domains? Read on…

I have made a quick guide on how to setup a server specifically for MFA sites from start to finish. The server will consist of,

• Web server – Apache
• Database – mySQL
• Scripting Language – PHP
• FTP Daemon – vsFTPD
• DNS Server – Bind

We are going to assume you are using centOS and have yum available. This should only be used on a fresh install. So lets begin,

Installing Services

To make this quick we are just going to use the RPM’s available from the depositories. At the shell prompt execute,


yum -y install httpd httpd-devel mysql mysql-server mysql-devel vsftpd bind bind-libs bind-utils php php-cli


Once this completes you should see something like this,

Now that the services are installed it’s time to configure them.

(more…)

apache automate, auto add domains, auto configure apache, auto configure bind, bind auto configure, bind auto generate, bind automate, centos install apache, centos install mySQL, centos install php, centos install vsftpd, configure apache, configure mysql, configure php, mfa server Hide