Search for bots on the CentOS server

Source: Internet
Author: User
Tags centos server
When I log on to the server through ssh, frequent delays may occur. when I log on to the firewall, I find that the external network port of the firewall has reached 800 M/s. after checking, I find that the traffic on one server is very high. The traffic conference has serious consequences: because too many network resources are consumed, the speed of accessing the website homepage and the applications above is very slow, and frequent remote access to the server is dropped. Must be processed immediately. When the traffic is low, log on to the server quickly (when the traffic is high, there is no way to ssh) packet capture operations 1. cat/proc/net/bonding/

When I log on to the server through ssh, frequent delays may occur. when I log on to the firewall, I find that the external network port of the firewall has reached 800 M/s. after checking, I find that the traffic on one server is very high. The traffic conference has serious consequences: because too many network resources are consumed, the speed of accessing the website homepage and the applications above is very slow, and frequent remote access to the server is dropped. Must be processed immediately.

Log on to the server when the traffic is low (when the traffic is high, there is no way to use ssh) to capture packets.

1. cat/proc/net/bonding/bond0, first query which Nic is in use, because the server is bound with eth0 and eth1 dual Nic.

2./usr/sbin/tcpdump-I eth0-s 0-w package. cap. if eth0 is used, capture packets.

By analyzing captured data packets, we found that the server continuously sent a large number of udp data packets from Port 7000 to a public IP address, and our server became a DOS attack "zombie, not only does it almost paralyze your network, but it also attacks others.

The temporary preventive measure is to use iptables to prevent the server from sending udp packets. Then, find the application and find the vulnerability to clear the trojan file.

Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT

Iptables-a output-p tcp-j ACCEPT

Iptables-a output-p udp -- dport 53-j ACCEPT

Iptables-P OUTPUT DROP

This rule blocks all udp ports except the 53 port used by DNS, because before this rule only blocks port 7000, it will be discovered that the attack has changed the port.

Step 2: Check for application and server vulnerabilities.

Analyze which udp ports are added locally when the server traffic is high

Netstat-lpnut | grep udp

The port 1833 is found, and the related process is found based on port 1833.

Ps-ef | grep 1833

The obtained process is freebsd.

Then, find the corresponding application location based on the process.

Lsof | grep-I freebsd

The Directory found at this time is a normal application running under tomcat.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.