Article 10144 at 07/06/17 02:43:07 From: arturs (at mark) netvision.net.il Subject: [coba-e:10144] Re: FYI: BQ brought down by DDoS attack

Index: [Article Count Order] [Thread]
Date:  Sat, 16 Jun 2007 20:41:04 +0300
From:  Arthur Sherman <arturs (at mark) netvision.net.il>
Subject:  [coba-e:10144] Re: FYI: BQ brought down by DDoS attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <000001c7b03d$851a3790$3701a8c0@user33b5201c50>
In-Reply-To:  <bb9e5a970706151621h31ead449p73e6f493ff06897c (at mark) mail.gmail.com>
X-Mail-Count: 10144

Solarspeed.net 


> -----Original Message-----
> From: dnk [mailto:d.k.emaillists (at mark) gmail.com] 
> Sent: Saturday, June 16, 2007 2:22 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:10143] Re: FYI: BQ brought down by DDoS attack
> 
> Curious - what is the URL to said security package?
> 
> 
> 
> On 6/15/07, Hugh Messenger <hugh (at mark) alaweb.com> wrote:
> > This sounds similar to something I saw happen to one of my 
> BQ boxes a 
> > few months ago.
> >
> > If you are running PHP, and especially if you have turned off safe 
> > mode, I suggest you do a netstat and see if you have any unusual 
> > looking outbound SMTP activity.  If so, hunt around for a qmail 
> > install.  Or ps -ef and see if qmail is running.  The 
> attack I got hit 
> > with ended up finding an XSS vulnerability in PHP, and 
> installed a very nasty spam zombie using qmail.
> >
> > At least, we think that's how it installed the package.  But it may 
> > have compromised an account using the POP3 harvesting attack.  What 
> > seems definite is that there was a coordinated attack on multiple 
> > vectors, it wasn't just a POP3 attack, or an XSS probe, etc.
> >
> > But one of the biggest symptoms we noticed was disk 
> activity, a result 
> > of qmail running flat out delivering porno spam.
> >
> > Probably isn't the same thing, but your symptoms sound very 
> similar ...
> >
> >    -- hugh
> >
> >
> > > -----Original Message-----
> > > From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> > > Sent: Friday, June 15, 2007 12:43 PM
> > > To: coba-e (at mark) bluequartz.org
> > > Subject: [coba-e:10138] FYI: BQ brought down by DDoS attack
> > >
> > > Howdy,
> > >
> > > Yesterday, I watched my server being brought down by quite light 
> > > DDoS attack.
> > >
> > > The attack went on several channels:
> > > 1) Most attack concentrated on port 80; I had mono and munin 
> > > installed, and it made a big difference. Cummulative 
> http/mono/munin 
> > > load some times reached 8.5. I had to uninstall both mono 
> and munin 
> > > (fortunately, I could afford to do this), and the load dropped to 
> > > 4-7;
> > > 2) Mail: SYN attack on TCP/110 - this had overloaded MailScanner;
> > > 3) most disturbing: I saw fcheck working hard. If I get 
> this right, 
> > > this means that some heavy file writing went on. I'm 
> still investigating this.
> > >
> > > The attack went from 2-3 IP's simultaneously The server: TYAN 
> > > Transport GT20 w/ 3GB RAM, very lightly loaded, load 
> average is 0.09 
> > > Michael's Security Package installed (this actually helped a bit. 
> > > After blacklisting offending IP, the load dropped to 3-4 
> - thanks, 
> > > Michael!)
> > >
> > >
> > > Best,
> > >
> > > Arthur
> > >
> > >
> >
> >
> >
> >
> 
>