All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
I need help in guiding me to detect source of syn flood fom my digitalocean droplet
Hi All,
- what happen before the syn-flood
- i create a droplet (usd5/month) on singapore location
- select ubuntu 14.04 image
- install and complete everything
- install Sentora (latest version as I do the install following their guide, download the install script)
- install sentastico for sentora (latest version, also follow their guide)
- add Mautic (download zip file and upload zip file to server in sentastico package)
- install mautic via sentastico
- let user test the mautic installation
- server ip address & domain was not revealed to other 3rd party, but i think it is exposed to the sentora & sentastico during the installation
digital ocean email to me that my droplet was doing a ddos attack thus they took it down.
i request for more information and they give this
Thank you for connecting with us.
Hello there,
The traffic we noticed was a 12.1m PPS SYN flood (http://en.wikipedia.org/wiki/Syn_flood) being launched from your Droplet against a remote server at XY.XY4.6A.5A- not any form of legitimate traffic. This could not have been from a remote system, as there was no inbound traffic (from your client) during this incident.
The source port varied. 3 examples of port details are as follows:
Source Port: 45801 (45801)
Destination Port: http (80)Source Port: 20395 (20395)
Destination Port: http (80)Source Port: 42040 (42040)
Destination Port: http (80)The system and application error and access logs may include additional details that could provide more insight on this.
If you have any additional questions please let us know.
Best,
Trust & Safety
DigitalOcean
i dont want to reveal the ip that it does the attach here, but if you want I can privately tell u, i think it doesnt matter, i try to trace the ip, it is listed as corporate internet.
so, if possible i want to find out what really happen, but i'm at loss here on where to start, the droplet is still there.
Comments
you may have hidden file, start from /tmp /var/tmp /dev/shm directory
Then install rkhunter
What service are you running on the droplet?
hey there thanks for reply.
ok i will start from the dir that you listed there.
the service that run was installed by sentora which is apache, mysql, phpmyadmin etc... i think maybe mail server too, i saw something like postfix, dovecot etc.
My guess is there is an exploit with Sentora, and you were unlucky to be hit so quickly.
https://www.lowendtalk.com/discussion/47220/sentora-alternative-to-zpanel-warning/
Zpanel, again... sigh
thanks for the link, I'm guessing I will advise my client accordingly (it was for a part time job that I'm doing now).
Unrelated ----- remove it.. and install kloxo-mr.. much better
I don't think Sentora is your problems but perhaps the moutic;
You can try to use different panel eg. VestaCP and run those software as well.
Note: I run sentora on many server and never find any problems (traffic for one website, just calculate how much visitors per day if the online user by Google analytics is minimum 2k for 24 hours, can reach 8k during peak hours), ah yes its Apache.
Is your root password too simple?
@edan yes perhaps mautic, but then mautic was newly installed for demo of able install purpose only, no cron or other settings has been setup for it yet. but i dont rule out mautic is the issues.
@elgs not too simple, but not too hard either. some combination of lowercase + 1 special char + 1 number.
I think kloxo or vestacp is ok, however if possible you should use script such as vssim.
Hmm... do you trust that user? Even if so, could they have triggered something?
Maybe there is some default vulnerability that a remote attacker exploited earlier, or if you installed something that had some latent DDoS bot, it wouldn't necessarily care what your address is. Perhaps setup an iptables rule to drop all outbound TCP SYN traffic, monitor and see if you can discover what process is generating that traffic. Something like lsof may be of some help here.
What happened when you examined the logs as DigitalOcean suggested?
Hmmm...
Hmmm...
Hmmm...
Beyond that, hire someone who knows what they're doing to admin your server.
So you concluded if this syn flood because the use of phpmyadmin and php? does any other programming language can't send syn flood? GREAT! finding.
Effects have causes. Servers aren't made to just randomly start up a DoS attack. Either some installed package was actually malware, or the server was compromised some time before the attack started. Based on my own server logs, 90+% of the abusive web traffic I see is scans for PHP exploits. The fact that other software might be exploited is worth investigation, of course, but all I'm saying is that I'd start my search by taking a close look at any and all PHP code that is being used.
vpssim actually
Yes I know your point
Did you use a weak root password?
The title needs to be more descriptive.
Don't use sentastico with sentora. Sentora's team is trying to fill the holes of zpanel, incidents of hacked sentora are much less than in the past, but addons of sentora are really full of holes! Especially santastico (search the web!).
On the other hand, there are some much more secured panels like virtualmin and ispconfig out there, or simple scripts to install LAMP and then any script you want. Vestacp is also very good and, nowdays, mature.
Really, I could never understand why someone having access to a shell, would use script installers like fantastico or similar... Or, use a turnkey template... It is much more secure and not hard to install those scripts by hand.
The only add-on I use is ELFilemanager http://forums.sentora.org/showthread.php?tid=2076&pid=17193#pid17193 and its run nicely so far.
Upgrade the PHP, MYSQL to latest version (PHP 5.6) and replace their suhosin package with the default one because it has more strict rules (remove the suhosin.ini shipped with sentora at /etc/php.d/ since its duplicated if we install the php-suhosin manually
yum install php-suhosin). Use it for email server as well and no single spam send (all IP clean over years and OVH never send any notification, OVH email protection is pretty strict).Zpanel/Sentora is very different compared to 2-3 years ago.
@jtk not fully trust, however he only have access to sentora, i did not give him ssh access, yes to start with iptable blocking all tcp syn is a start I guess, but i will take down the droplet anyway. it is just for temporary test.
@impossiblystupid the client will have someone capable to handle the server, this is just one time test and unfortunately (or fortunately it happen sooner than later) we had this issues on first try. and this was setup by myself (yes, not a server admin, i'm just following all the guide to make it run and show to client that is all)
@linuxthefish yes, not a strong one. i did not rule it out that someone have access to ssh and manage to login to the root user, if this is what happen, can show me how to trace this ?
@globalRegisters title is what i intend to ask when i started this thread, if it need to change please suggest to me what should it be.
@jvnadr i've advise the client, but most likely he will stick to sentora since it is already being use (and he had his guy to handle all the securities i guess, not my concern).
@edan hey thanks for the tips, i need to read & try first on this php-suhosin. not for my client, maybe for myself.
again guys, very thankful for all your response, i will keep the droplet for few more days for me to check all the logs, but really is from what I see, its nothing that I saw suggest that there have been breach, but then maybe I don't know how to detect hacking.
the droplet is already blocked from network by digitalocean, i can only access from web console. so i guess should be safe to keep it running few more days while trying to find what actually happen.
I've installed Wordpress about 6-12 times. Definitely not an expert, but what a PIA. There is always some bullshit PHP module it needs, or whatever. Maybe they've corrected it, but I totally get people using script based installers when the alleged geniuses behind a beloved product like Wordpress are too brilliant to post all the php modules and other system dependencies needed to finish their "famous" "one-click-install"
You can use remi repo. Enable the remi repo and choose PHP 5.6 (just change
enabled=0toenabled=1)Run the update now:
Upgrade the MYSQL:
Install the default PHP-suhosin etc. (Remember to remove the old suhosin.ini at /etc/php.d)
Above is just basic step.
Check if there are any processes running in top with strange names.