Strange attack on my server

I had a very strange attack on my server yesterday. I wasn't sure if it was a compromise, just a DoS attack, or something else.

This server is completely unused. But yesterday when I was checking the transfer usage, the incoming was up to 9GB and outgoing up to 18GB (both in just one day).

I suspended something was wrong, so I logged into the server, and there were more than 200 processes running, mostly zombie httpd (usually there is only 32 processes in this unused server).

I also noticed (through netstat -pa) that a huge number of IPs are connecting to my apache server. A port of the output is shown below,

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 1 xxx.xxx.xxx.xxx:33574 57.186.148.255:http SYN_SENT 1669/httpd
tcp 0 1 xxx.xxx.xxx.xxx:33509 57.186.148.190:http SYN_SENT 1669/httpd
tcp 1 0 xxx.xxx.xxx.xxx:60149 62.118.252.179:http CLOSE_WAIT 3902/httpd
tcp 0 1 xxx.xxx.xxx.xxx:33573 57.186.148.254:http SYN_SENT 1669/httpd
tcp 0 1 xxx.xxx.xxx.xxx:33510 57.186.148.191:http SYN_SENT 1669/httpd
tcp 0 1 xxx.xxx.xxx.xxx:33572 57.186.148.253:http SYN_SENT 1669/httpd

Note the foreign address connecting to my server, which seems to be in the same subnet.

The server load goes up from the normal 0.0 to about 1.2. I checked the stat program and it looks like the process number has gone up to as high as 700 in the past. Everything else also raised (CPU, mem, network traffic), but the diskspace stays about the same. (as far as I could tell on a graph).

I couldn't do anything to stop it, and the transfer continued to be used up. I finally stopped it by shutting down httpd. But after I shutted it down, I noticed a connection (through netstat) from Russia,

tcp 0 0 xxx.xxx.xxx.xxx:60125 cgin.uplink.ru:http TIME_WAIT -

Today, when I tried to start up apache again (service httpd start), something called "update" was running on the http port (and it wasn't serving web pages). I was warry of binary replacement, so I killed the processes, updated my apache rpm, and now it (seems) to work as usual.

I have just did a chkrootkit, and it says "Checking `slapper'... Warning: Possible Slapper Worm installed" but I can't find any of files described on the web.

Any ideas/comments?

Thanks,

Peter

 

 

 

 

Top