amuck-landowner

Random process name sending DDoS

F

Flapadar

Member
Verified Provider
XOR.DDoS is a nasty one. We've got bruteforce protection in place and filter outbound attacks.


The "Tsunami" attack in particular managed to avoid our existing filters the first time we saw it. Easily enough blocked, but by that point there had been a 900mbps attack for about half an hour. Horrid stuff.
 
ChrisB

ChrisB

New Member
Francisco said:
Because OP's VPS is OpenVZ. It's XOR.DDOS.


The way the system works is pretty crazy:


- Infect server


- Call home reporting kernel version


- If C&C has the sources to that kernel, send down a pre-compiled kernel module


--- If it doesn't, try to pull the sources from some where (be it yum/apt-get, or even from /usr/src)


- Download a unique compiled binary for that infected server to get past basic hash signatures


- pound Tsunmai SYN floods right away


While Aldryic wrote a pretty sweet system to handle brute forces over all of our locations, there's still people that use really bad passwords or they get exploited through websites.


At this point I've written some iptables rules to handle the outbound flood so it doesn't cause issues for other people on the node.


Francisco
Click to expand...
Yeah I've been seeing a lot of these and we confirmed today that just by going through a few of them that they'll hammer servers non stop until they bruteforce the password and get in - as soon as it gets in, all incorrect root login attempts basically stop. 

Something worth noting is it seems to favour IP's it has successfully bruteforced in the past. It's a pretty intelligent system. 
 
Munzy

Munzy

Active Member
wlanboy said:
As @Munzy says. There are a lot of outdated images flying aroung.

And autostarting vps won't help either.

5 out of 10 vps I ordered through the last two years where outdated and did have a running ssh and apache webserver with really bad default settings. 

Ordered them, went to work, coming home to see a vulnerable server.
Click to expand...
The defaults actually pissed me off so bad that I built a whole script to remove the shit, patch it, secure it, and a few other basic tasks.

https://cdn.content-network.net/sc/deb-quick-install.sh

Code: 
https://cdn.content-network.net/sc/deb-quick-install.sh
 
You must log in or register to reply here.
Top
amuck-landowner