Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You are also right about fuser - it should be fuser 80/udp(edited and corrected)
I think I got something more now.
It was very difficult to log in to the system with SSH as the traffic was really huge.
I have stopped NTP server as I noticed this in syslog and it helped immediately:
Code:
cat /var/log/syslog
Feb 3 00:07:55 mybox last message repeated 2 times
Feb 3 00:08:15 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 79.133.192.40
Feb 3 00:08:38 mybox last message repeated 79 times
Feb 3 00:09:33 mybox last message repeated 117 times
Feb 3 00:10:26 mybox last message repeated 115 times
Feb 3 00:11:23 mybox last message repeated 178 times
Feb 3 00:12:21 mybox last message repeated 92 times
Feb 3 00:13:31 mybox last message repeated 98 times
Feb 3 00:31:34 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 84.201.34.76
Feb 3 00:31:59 mybox last message repeated 21 times
Feb 3 08:10:15 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:11:09 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:12:09 mybox last message repeated 4 times
Feb 3 08:13:05 mybox last message repeated 3 times
Feb 3 08:15:29 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:17:32 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:27:15 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:30:57 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 103.25.202.54
Feb 3 08:31:41 mybox last message repeated 2 times
Feb 3 16:50:34 mybox ntpd[2553]: process_private: INFO_ERR_FMT: test 1 failed, pkt from 85.25.119.13
I think I also read incorrect screen output form iptraf. If I look now at tcpdump I see this.
It looks like someone/something floods me with UDP traffic comming from foreign addresses from port 80 to my local port 123.
Code:
# tcpdump -i eth0 -s0 -n -nn -N -p -tttt port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2014-02-03 23:39:36.493346 IP 174.58.132.224.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:36.556847 IP 1.2.219.171.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:36.669153 IP 99.225.21.112.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:36.791598 IP 187.2.231.194.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.034541 IP 174.58.132.224.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.058172 IP 139.146.146.225.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.085260 IP 31.170.160.173.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.440323 IP 177.84.148.135.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.477727 IP 177.84.148.135.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.539066 IP 177.84.148.135.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:39:37.623584 IP 139.146.146.225.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
...
Code:
# tcpdump -i eth0 -s0 -n -nn -N -p -tttt port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2014-02-03 23:58:44.958644 IP 31.186.242.82.5147 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.108765 IP 91.121.17.31.2302 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.134872 IP 31.170.160.173.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.137333 IP 80.86.90.242.28315 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.199409 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.200647 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.241549 IP 68.117.43.29.3074 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.243765 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.248684 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.253617 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.324314 IP 68.117.43.29.3074 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.375055 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
2014-02-03 23:58:45.400468 IP 67.176.204.78.80 > 83.19.119.231.123: NTPv2, Reserved, length 8
...
NOTE: this is happening on different 2 nodes in 2 different locations. Nodes are completly not related with each other Odd.
NPTd is stopped fully: /etc/rc.d/rc.ntpd stop Additionally, I have blocked port 123 in my iptables.
Why do you want me to block port 139 ? There is no smbd/nmbd on my box.
I might have a bad understanding of iptraf output but it seems that there is a lot of traffic:
coming in to port 123
coming out from port 80
I have blocked both ports INPUT and OUTPUT with iptables and see no changes :/
if you see no changes, ublock all the port ranges 120 - upwards....
read lpms from /dev/eth0, if none - set lpms to null in /etc/conf.d
then restart your system.
Should be fine.
I mistyped, I meant udp/123 (the listening ntp port) but if that's disabled then you only need to monitor further to determine if the activity has in fact subsided. Sorry about that.
Well... the activity has stopped in this sense that the eth0/internet link is not overloaded anymore.
I turned off NTP which was compromised and blocked ports.
netstat shows no unwanted connections - thats good.
However, iptraf and tcpdump shows a lot of traffic coming in to port 123 and coming out from port 80. Even though I blocked these ports (in and out going).
That is something I dont understand.
However, iptraf and tcpdump shows a lot of traffic coming in to port 123 and coming out from port 80. Even though I blocked these ports (in and out going).
That is something I dont understand.
I turned off NTP which was compromised and blocked ports.
Do verify but it is unlikely your NTP daemon was compromised. Instead it was run without restrictions (for your LAN that's OK but you shouldn't run a public NTP service in the first place) and an old version to boot which allowed a CVE-2013-5211-style DoS attack to happen. Perps spoof the source address and ports so they're actually victims.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.