Server Unplugged UDP Attack to known node
This morning Ev1 unplugged one of our servers because it was launching UDP attack to another box.
For my surprise the destination box is a known box that is another server that belong to us.
I am running APF firewall on both server and the source server had the destination server in /etc/apf/allow_hosts.rules because I run NFS server on the source box so the destination server can connect to it and make its backups.
The attack:
1 2006-02-01 23:30:09.363346 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=13320)
2 2006-02-01 23:30:09.363354 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=14800)
3 2006-02-01 23:30:09.363357 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=16280)
4 2006-02-01 23:30:09.363361 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=17760)
5 2006-02-01 23:30:09.363364 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=19240)
6 2006-02-01 23:30:09.363368 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=20720)
7 2006-02-01 23:30:09.363434 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=22200)
8 2006-02-01 23:30:09.363595 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=23680)
9 2006-02-01 23:30:09.363686 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=25160)
10 2006-02-01 23:30:09.363988 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=26640)
11 2006-02-01 23:30:09.363995 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=28120)
12 2006-02-01 23:30:09.364036 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=29600)
13 2006-02-01 23:30:09.364216 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=31080)
14 2006-02-01 23:30:09.364223 67.15.159.XXX-> 67.15.20.XXXIP Fragmented IP protocol (proto=UDP 0x11, off=32560)
15 2006-02-01 23:30:09.364358 67.15.159.XXX-> 67.15.20.XXXUDP Source port: 2049 Destination port: 1023
I have investigated the source server and its not compromised, rkhunter tell that al files are MD5 ok and /tmp doesnt have any suspicious files.
How can I investigate how this attack was launched and by who ?
Thank you.
