We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
I am under ATTACK
I am under ATTACK
Hello,
I am under attack for 10 hours.
Since I am new to linux I don't know what to and where to begin.
I will post some graphic for you guys to direct me to the issue and take necessary steps.
This output shows weird traffic between me and google dns servers. It never stops. Is my server used to DDOS Google DNS?
Here you will see, pyhton is causing %100 CPU load (maybe due to fail2ban usage?)
Here's my digitalocean graphics, the server went crazy!!
And last, here's my email usage, I think my mail server is being used for spamming but I am sure it is not my clients.
What can I do? How can I investigate this issue? How can I limit outgoing email per hour? like 100 mails per hour.
I am under attack for 10 hours.
Since I am new to linux I don't know what to and where to begin.
I will post some graphic for you guys to direct me to the issue and take necessary steps.
This output shows weird traffic between me and google dns servers. It never stops. Is my server used to DDOS Google DNS?
Here you will see, pyhton is causing %100 CPU load (maybe due to fail2ban usage?)
Here's my digitalocean graphics, the server went crazy!!
And last, here's my email usage, I think my mail server is being used for spamming but I am sure it is not my clients.
What can I do? How can I investigate this issue? How can I limit outgoing email per hour? like 100 mails per hour.
Re: I am under ATTACK
We need CSF, I have a vps with CSF installed, the server is up for 10 months, not even a restart... Admins doesn't recommend vesta with csf..
does any of you use (still) vesta with csf firewall?
does any of you use (still) vesta with csf firewall?
Re: I am under ATTACK
I installed CSF on vesta and blocked outgoing port 80 and the 20 mb/s outgoing connections stopped.
my server is being used to attack other wordpress sites I guess.
cpu is still high, but at least I managed my server to stop attacking/flooding other websites.
here s what top -H -p 14941 returns
python is causing excessive cpu load, whatever my server is infected with, it has got to do something with python lol
my server is being used to attack other wordpress sites I guess.
cpu is still high, but at least I managed my server to stop attacking/flooding other websites.
here s what top -H -p 14941 returns
Code: Select all
Threads: 501 total, 4 running, 497 sleeping, 0 stopped, 0 zombie
%Cpu(s): 49.7 us, 30.3 sy, 0.0 ni, 18.7 id, 0.9 wa, 0.0 hi, 0.5 si, 0.0 s
KiB Mem: 4061564 total, 3870052 used, 191512 free, 311700 buffers
KiB Swap: 4095996 total, 80 used, 4095916 free, 732256 cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15361 admin 20 0 4480m 352m 4700 R 28.7 8.9 6:27.91 python
15427 admin 20 0 4480m 352m 4700 R 28.1 8.9 7:36.01 python
15345 admin 20 0 4480m 352m 4700 R 27.4 8.9 5:18.05 python
15354 admin 20 0 4480m 352m 4700 R 27.4 8.9 8:39.31 python
15026 admin 20 0 4480m 352m 4700 S 0.7 8.9 0:00.95 python
15303 admin 20 0 4480m 352m 4700 S 0.7 8.9 0:03.05 python
15112 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.46 python
15267 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.81 python
15272 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.67 python
15374 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.87 python
15394 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.36 python
15430 admin 20 0 4480m 352m 4700 S 0.3 8.9 0:02.72 python
14941 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:06.51 python
14948 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:02.46 python
14949 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:02.56 python
14950 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:01.35 python
14951 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:02.21 python
14952 admin 20 0 4480m 352m 4700 S 0.0 8.9 0:02.82 python
Re: I am under ATTACK
ok brothers and sisters, CSF did the job, mofo gave up for this time. I think my server is compromised, but at least it is working.
Re: I am under ATTACK
Hello, you can try to investigate that python processes using lsof:
Check internet connections:
Install rkhunter and check rootkits
seatch new php files (10 days old in example)
Check temp folders /tmp, /var/tmp, /dev/shm and cron tasks
Code: Select all
lsof -np PID
Code: Select all
netstat -naptu
Code: Select all
rkhunter --update; rkhunter --check
Code: Select all
find /home/admin -type f -name "*.php" -mtime -10 -ls
Code: Select all
crontab -l -u admin
Re: I am under ATTACK
these are great information. not just for this case, for my future possible problems. I kindly thank you. unfortunately I gave up on that server. the biggest issue is, people are using nulled scripts and there is nothing I can do about it.Deeryo wrote:Hello, you can try to investigate that python processes using lsof:Check internet connections:Code: Select all
lsof -np PID
Install rkhunter and check rootkitsCode: Select all
netstat -naptu
seatch new php files (10 days old in example)Code: Select all
rkhunter --update; rkhunter --check
Check temp folders /tmp, /var/tmp, /dev/shm and cron tasksCode: Select all
find /home/admin -type f -name "*.php" -mtime -10 -ls
Code: Select all
crontab -l -u admin
In vesta, once somebody manages to upload a shell script, whole server is in his hands. not enough measures has been taken in terms of hosting security.
vesta may be great, but not yet a dependable product for linux newbies like me.
now I am switched to cpanel, things may be slower and I got to pay $14 / month but at last I will find peace.
Re: I am under ATTACK
You can use apache "basedir" template to use php open_basedir protection. Also modify /etc/php.ini and set disable_functions option. Examples from google:
http://www.databaseskill.com/3343256/
or
http://lowendtalk.com/discussion/37009/ ... ed-hosting
or
http://www.databaseskill.com/3343256/
or
http://lowendtalk.com/discussion/37009/ ... ed-hosting
or
Code: Select all
disable_functions=eval,exec,shell_exec,system,passthru,popen,dl,set_time_limit,symlink,uname,proc_open,proc_nice,proc_get_status,proc_close,proc_terminate,posix_mkfifo,socket_listen,socket_create,socket_create_pair,socket_create_listen,socket_connect,pfsockopen,disk_free_space,disk_total_space,socket_bind,socket_accept,socket_read,stream_socket_client,stream_socket_server,stream_select,stream_socket_accept,stream_socket_recvfrom,stream_socket_sendto
Re: I am under ATTACK
thanks once again.Deeryo wrote:You can use apache "basedir" template to use php open_basedir protection. Also modify /etc/php.ini and set disable_functions option. Examples from google:
http://www.databaseskill.com/3343256/
or
http://lowendtalk.com/discussion/37009/ ... ed-hosting
orCode: Select all
disable_functions=eval,exec,shell_exec,system,passthru,popen,dl,set_time_limit,symlink,uname,proc_open,proc_nice,proc_get_status,proc_close,proc_terminate,posix_mkfifo,socket_listen,socket_create,socket_create_pair,socket_create_listen,socket_connect,pfsockopen,disk_free_space,disk_total_space,socket_bind,socket_accept,socket_read,stream_socket_client,stream_socket_server,stream_select,stream_socket_accept,stream_socket_recvfrom,stream_socket_sendto
but if I have to modify these, then what is the purpose of using hosting panel..
even setting a restriction on mails sent by domain per hour requires serious exim skills and heavy googling..
and these guys are working on adapting "file manager" not serious issues...
my main job is doing seo and developing wordpress websites, but since I am with vesta, I feel depressed, I cannot sleep. for 3 days things are normal, but then all of a sudden everything can go crazy...