/usr/bin/host being used in HTTP DDoS on Debian?
ps aux
Should show you the user running the process and the full command line. You might find more info with
lsof | grep pid
This will show you any of the processes open files, including libraries, terminals, etc.
Also check out the files in /proc/pid. (/proc/pid/environ, /proc/pid/cmdline, /proc/pid/status):
man proc
But if you suspect some malicious hanky-panky, you can't really trust any of these things. I'd be backing up important data and verifying its integrity. If you REALLY don't want to wipe the drive then at least take it offline to dd the disk for analysis, or use a liveCD to mount it and check md5s, run scans, etc.
Related videos on Youtube
Moritz von Schweinitz
Updated on September 18, 2022Comments
-
Moritz von Schweinitz over 1 year
So I got an abuse complaint for one of my dedicated servers, running Debian 6.0
Sure enough, sometimes,
top
shows/usr/bin/host
using a lot of CPU for no apparent reason, and netstat shows processhost
doing a lot of HTTP requests.After while, my syslog even says
nf_conntrack: table full, dropping packet.
, which i assume has something to do with this matter.I have verified the executable
/usr/bin/host
using debsums, and is seems to be fine, too. The server as such is 100% updated, too.So i am guessing something is somehow calling my
host
executable and coercing it to do HTTP requests for some DDoS.I could of course simply hack together a script to killall
host
as soon as this is happening, but I would really like to know where the problem originates from.I am checking the Apache logs for interesting entries around the time that
host
is starting to do its requestst, but haven’t found anything yet.Anyone have a recommendation on what else to do? How can I see who and what called 'host'? Google didnt show up any examples of
/usr/bin/host
being abused, at all!-
Cory J over 10 yearsHost is for resolving DNS, it shouldn't be making HTTP requests at all. Maybe the binary that's doing the attack is named deceptively. I wouldn't trust any file integrity checks on the local machine, they may lie if the machine was compromised.
-
Moritz von Schweinitz over 10 yearsi did 'updatedb' and 'locate host', and the only file called 'host' is /usr/bin/host. debsums is freshly installed. apt's signatures seem to be ok, too.
-
Cory J over 10 yearslocate can be patched. debsums can be patched. A binary can be ran and loaded into memory and then deleted from the filesystem.
-
Moritz von Schweinitz over 10 yearsYes, I am aware of the fact that anything could be patched and hacked, but it does get kind of unlikely at a certain point - e.g. if this maybe installed malware is so advanced that it patches debsums on-the-fly immediately after it has been installed, screws with the FS (or md5sum) ) so that it reports false values and so on - then why would it keep it's manevolent process in plain sight, eating up CPU cycles like mad? So, is there a probably good way of testing how this 'host' process is being launched? If the process' name has been changed after launch? rkhunter gives an all-clear, BTW.
-
voretaq7 over 10 years@MoritzvonSchweinitz If you disagree with the closure of this question please open a discussion on Meta. Editing your question is not the proper way to raise objections to moderation decisions. Thanks :-)
-
matiu about 10 years@voretaq7 I'm seeing the same thing on my server. I think this question should be reopened, as it is more specific than the proposed duplicate. (I don't know how to get to 'meta'). I'm not sure if it is to do with a compromise; my 'host' process has no scary open files and is not doing any scary UDP nor TCP packets, rkhunter didn't care about it. I'm wondering if it's some kind of DNS misconfiguration.
-
chilladx about 8 yearsIt may be late, but I end up in the same situation. Turns out to be the exact same thing as in this post: forums.cpanel.net/threads/… (TL;DR: Wordpress compromised).
-
-
Moritz von Schweinitz over 10 yearsso the 'host' process was running as www-data, and the lsof command showed me the wordpress installation that was to blame for the hassle. Updated and cleaned it out, and now everything's back to normal.
-
Marki555 almost 9 yearsHere is more detailed explanation serverfault.com/questions/705217/…