PDA

View Full Version : High Utilization DDOS attack, how to remove processes



crobison
21-May-2015, 15:33
We started having high utilization on the server and the network, to the point that everything came to a stand still. We figured out that the ip was from china and we blocked it and problem resolved. But we still have processes running on the server, which are related to this DDOS from china, they randomly come up with different letters, but we have not been able to determine where to remove if from.. They mentioned the cron, we saw a line that runs a process every 3 minutes, me removed it, but it still comes up in crontab... any ideas?

jmozdzen
21-May-2015, 15:58
Hi crobinson,


We started having high utilization on the server and the network, to the point that everything came to a stand still. We figured out that the ip was from china and we blocked it and problem resolved. But we still have processes running on the server, which are related to this DDOS from china, they randomly come up with different letters, but we have not been able to determine where to remove if from.. They mentioned the cron, we saw a line that runs a process every 3 minutes, me removed it, but it still comes up in crontab... any ideas?

if the process is up long enough, then you may check /proc/<pidOfProcess>/fd and .../cmdline for details.

But your description make me feel pretty uneasy - a "DDOS" comes from *many* addresses and your description sounds like your system is compromised. I'd immediately isolate it (physically detach any network connection) before further diagnosing, and then reboot into recovery mode (start if from an external installation thumb drive / DVD) to optimally create a snapshot of the disks (copy them to an external disk, for safekeeping). Only then you should start to further assess the situation, and depending on the importance of your business and/or the server in question, you may want to get professional assistance.

Regards,
Jens