Search for bots on the CentOS server

When I log on to the server through ssh, frequent delays may occur. when I log on to the firewall, I find that the external network port of the firewall has reached 800 M/s. after checking, I find that the traffic on one server is very high. The traffic conference has serious consequences: because too many network resources are consumed, the speed of accessing the website homepage and the applications above is very slow, and frequent remote access to the server is dropped. Must be processed immediately. When the traffic is low, log on to the server quickly (when the traffic is high, there is no way to ssh) packet capture operations 1. cat/proc/net/bonding/

When I log on to the server through ssh, frequent delays may occur. when I log on to the firewall, I find that the external network port of the firewall has reached 800 M/s. after checking, I find that the traffic on one server is very high. The traffic conference has serious consequences: because too many network resources are consumed, the speed of accessing the website homepage and the applications above is very slow, and frequent remote access to the server is dropped. Must be processed immediately.

Log on to the server when the traffic is low (when the traffic is high, there is no way to use ssh) to capture packets.

1. cat/proc/net/bonding/bond0, first query which Nic is in use, because the server is bound with eth0 and eth1 dual Nic.

2./usr/sbin/tcpdump-I eth0-s 0-w package. cap. if eth0 is used, capture packets.

By analyzing captured data packets, we found that the server continuously sent a large number of udp data packets from Port 7000 to a public IP address, and our server became a DOS attack "zombie, not only does it almost paralyze your network, but it also attacks others.

The temporary preventive measure is to use iptables to prevent the server from sending udp packets. Then, find the application and find the vulnerability to clear the trojan file.

Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT

Iptables-a output-p tcp-j ACCEPT

Iptables-a output-p udp -- dport 53-j ACCEPT

Iptables-P OUTPUT DROP

This rule blocks all udp ports except the 53 port used by DNS, because before this rule only blocks port 7000, it will be discovered that the attack has changed the port.

Step 2: Check for application and server vulnerabilities.

Analyze which udp ports are added locally when the server traffic is high

Netstat-lpnut | grep udp

The port 1833 is found, and the related process is found based on port 1833.

Ps-ef | grep 1833

The obtained process is freebsd.

Then, find the corresponding application location based on the process.

Lsof | grep-I freebsd

The Directory found at this time is a normal application running under tomcat.