how to find broiler on CentOS server
SSH login to the server, the frequent delay off the line, landing to the firewall above to see, found that the firewall of the external network of the flow reached the 800m/s, the check found that there is a large flow of servers. Traffic so the General Assembly has serious consequences: because of the consumption of too much network resources, access to the home page and the above application speed is very slow, remote to the server on the frequent drop line. Must be processed immediately.
In a small amount of time to log on to the server (traffic is large, can not SSH) grasp the package operation
1, CAT/PROC/NET/BONDING/BOND0, the first query is which network card in use, because the server does is eth0 and eth1 dual network card binding.
2,/usr/sbin/tcpdump-i eth0-s 0-w package.cap, if use is the network card eth0, carries on the grasping package operation.
Will crawl the packet analysis, found that is the server non-stop to a public network IP address to send a large number of 7000-port UDP packets, our server became a Dos attack "broiler", not only caused its own network almost paralyzed, but also attacked others.
A temporary precaution is to use iptables to prevent the server from sending UDP packets out of the way. Then look for the application to find the vulnerability to clear the Trojan file.
Iptables-a output-m State--state established,related-j ACCEPT
Iptables-a output-p tcp-j ACCEPT
Iptables-a output-p UDP--dport 53-j ACCEPT
Iptables-p OUTPUT DROP
The rule is to block all other UDP ports for port 53, except for DNS, because it was done just by sealing out 7000 ports, and later found that the attack changed the port.
The second step is to check the application and server vulnerabilities.
Analyze local new UDP ports when server traffic is high
Netstat-lpnut|grep UDP
Locate the 1833 port and then locate the associated process based on the 1833 port
Ps-ef|grep 1833
The resulting process for FreeBSD
Then find the location of the application based on the process
lsof | Grep-i FreeBSD
The directory that was found at this time was a normal application running under Tomcat.