I had a very frustrating weekend because of the DDoS attack perpetuated by
trying to run "VulnScan v6 Stable By Morgan" on my BQ server. While the
attack didn't succeed in installing the exploit, my server was disabled
because MySQL got overwhelmed.
So, I took the initiative of installing SSHDFilter (thanks, Adam!) from
http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html. I got this working
after a couple of mis-starts, but all in all I got it working ok. I checked
another machine, a Cpanel box, that I maintain and the "VulnScan v6 Stable
By Morgan" exploit was running on it. It was visible using "ps" as "v6",
but it couldn't be killed. So after reading the exploit script, the script
was run and deleted, so I went to reboot the machine.
Well, in my haste, I rebooted my BQ machine. Oh well, I thought, until it
wouldn't come back up. Or at least I thought. It came back up, but I
couldn't connect. Now this machine had been up over 4 months since last
restart, and I don't think it had been restarted since I installed
Portsentry. Now, Portsentry was blocking me, and everyone else, out.
When I installed Portsentry, I figured I was sick of all the garbage in my
log files, so I selected the "anal" setting. That setting includes ports 80
and 110, HTTP and POP respectively. I have to imagine when I first started
Portsentry after my install that it didn't bind to those ports since there
were active sessions on those ports at that time. And so for four months, I
experienced no problems. Reboot and I am in exile.
My question: if using Portsentry in "anal" mode, which included ports 80 and
110, would accessing the webserver or email cause it to detect and attack
and block my IP address? I have deleted those two ports since discovering
this but want to understand what really happened.