Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to find broilers on the CentOS server". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

When ssh logs in to the server, it frequently delays the disconnection and logs on to the firewall. It is found that the traffic of the outer network port of the firewall has reached 800M/s. After inspection, it is found that the traffic of a server is very large. Such traffic will bring serious consequences: due to the consumption of too much network resources, the speed of accessing the home page of the website and the application above is very slow, and the remote access to the server is frequently dropped. It must be dealt with immediately.

Log in to the server when the traffic is low (when the traffic is heavy, it is impossible to ssh) to grab the packet.

1. Cat / proc/net/bonding/bond0, first of all, query which network card is in use, because the server does eth0 and eth2 dual network card binding.

2. / usr/sbin/tcpdump-I eth0-s 0-w package.cap, if you use the network card eth0, grab the package.

After analyzing the captured data packets, it is found that the server keeps sending a large number of 7000 port udp data packets to a public network IP address, and our server has become a "broiler" of DOS attacks, not only causing our own network to be almost paralyzed, but also attacking others.

The temporary precaution is to use iptables to prevent the server from sending udp packets. Then find the application, look for vulnerabilities to clear Trojan files.

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-p tcp-j ACCEPT

Iptables-An OUTPUT-p udp-- dport 53-j ACCEPT

Iptables-P OUTPUT DROP

This rule is to block all udp ports except the 53 ports to be used by DNS, because the only thing you did before that was to block port 7000, and later found that the attack had changed the port.

The second step is to check for application and server vulnerabilities.

Analyze which udp ports are added locally when the server traffic is heavy.

Netstat-lpnut | grep udp

Find out that it is port 1833, and then find the relevant processes according to port 1833.

Ps-ef | grep 1833

The resulting process is freebsd

Then find the location of the corresponding application according to the process

Lsof | grep-I freebsd

The directory found at this time is a normal application running under tomcat.

This is the end of "how to find Broiler on CentOS Server". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.