Having bandwidth stolen by Chinese IP's, how do I combat it?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Having bandwidth stolen by Chinese IP's, how do I combat it?
Hello everyone! First post and sadly it's not under good pre-tenses. My Linux server has been under attack off and on the last few days by a series of Chinese ip addresses, I'm not entirely sure what they are doing and how they are doing it.
My host beleived it was a possible error in my DNS settings, currently, there is no dns information included in my resolv.conf (I took it out just to test this) , my SSH password is secure but fail2ban has stopped trying to ban them. I'm unsure what logs to provide or what to look at.
I'm pretty stumped here and could appreciate the help! I am running Ubuntu 12.04
At this point, unless someone has a less drastic move, I might suggest taking it offline. A new clean install (or maybe current lts) and put online long enough to add in patches and then add back apps and data. It could be that there is issue with your data in the form of a rootkit or even some virus. The entire web is under attack. Not sure there is a known way to stop all of it.
At this point, unless someone has a less drastic move, I might suggest taking it offline. A new clean install (or many current lts) and put online long enough to add in patches and then add back apps and data. It could be that there is issue with your data in the form of a rootkit or even some virus. The entire web is under attack. Not sure there is a known way to stop all of it.
If there was a rootkit involved, would it be possible to find and destroy it?
I have not found it productive to fight a rootkit. There are too many variations that are entirely too good at finding ways to hide. I have recovered by replacing with a new build or by installing clean and restoring from backup. ( I HOPE you have several generations of backup! )
On my home network I have long offered a honeypot or two that 'APPEAR" vulnerable. After a number of breakin attempts they send the detected characteristics to my firewall and the criminals get blocked at the gate. I build the honeypots as virtuals and reload them periodicly form read-only images so that if a breaking is successful (unlikley, but I am not perfect so possible) the impact is strictly limited. So far, this has protected my 'real' servers nicely.
Well sure enough, I did some digging and hey! Rootkit found.
Now that I know that it was that I'm not worried, I can just backup what I need, clean it and start over.
I was worried that I was doing something wrong as far as blocking the incoming stuff went, I'm still somewhat new to all of this and I was really upset at myself for missing some huge obvious thing.
I know how the kit got in there, quick stupidity on my part, but nothing that I know not to make happen again. Thanks for the quick help guys, I really appreciate it!
Well sure enough, I did some digging and hey! Rootkit found.
Which one as it? Or if you don't know exactly which files got modified?
Quote:
Originally Posted by rowedahelicon
Now that I know that it was that I'm not worried, I can just backup what I need, clean it and start over.
Kind of depends on what was installed and how long it was there in the first place. If root owned files got changed then you'll have to inform users, change all credentials and about the only things you can safely copy are those whose contents you can read and verify.
Quote:
Originally Posted by rowedahelicon
I know how the kit got in there, quick stupidity on my part, but nothing that I know not to make happen again.
For some reading their distributions installation and security documentation, properly hardening and regularly auditing the machine, following best practices and using common sense goes a long way, for others it's back to the School of Hard Knocks until they (eventually) graduate ;-p
Using two different rootkit chckers, I found warnings on both and logs pointed at >usr/bin/bsd-port/getty being a hidden process. And while I'm very good with my security for the most part, I let it on with a bad root password, we had it set to something simple just for an hour or to do a test on something. That's why I'm not even mad, very horrible mistake but if anything given how recent this rootkit is, use it as a good example of how quickly things can go south
I don't need a name either, just a list of file names (or better: contact me and discuss dropping off copies).
Quote:
Originally Posted by rowedahelicon
And while I'm very good with my security for the most part, I let it on with a bad root password,
After the fact but you should know that best practices tell you that a) you don't allow root to ever login over a network, and b) you don't need to use weak passwords to be able to test something.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.