/usr/bin/host being used in HTTP DDoS on Debian?

bind ddos abuse
10,731

ps aux

Should show you the user running the process and the full command line. You might find more info with

lsof | grep pid

This will show you any of the processes open files, including libraries, terminals, etc.

Also check out the files in /proc/pid. (/proc/pid/environ, /proc/pid/cmdline, /proc/pid/status):

man proc

But if you suspect some malicious hanky-panky, you can't really trust any of these things. I'd be backing up important data and verifying its integrity. If you REALLY don't want to wipe the drive then at least take it offline to dd the disk for analysis, or use a liveCD to mount it and check md5s, run scans, etc.

Share:
10,731

Related videos on Youtube

Moritz von Schweinitz
Author by

Moritz von Schweinitz

Updated on September 18, 2022

Comments

  • Moritz von Schweinitz
    Moritz von Schweinitz over 1 year

    So I got an abuse complaint for one of my dedicated servers, running Debian 6.0

    Sure enough, sometimes, top shows /usr/bin/host using a lot of CPU for no apparent reason, and netstat shows process host doing a lot of HTTP requests.

    After while, my syslog even says nf_conntrack: table full, dropping packet., which i assume has something to do with this matter.

    I have verified the executable /usr/bin/host using debsums, and is seems to be fine, too. The server as such is 100% updated, too.

    So i am guessing something is somehow calling my host executable and coercing it to do HTTP requests for some DDoS.

    I could of course simply hack together a script to killall host as soon as this is happening, but I would really like to know where the problem originates from.

    I am checking the Apache logs for interesting entries around the time that host is starting to do its requestst, but haven’t found anything yet.

    Anyone have a recommendation on what else to do? How can I see who and what called 'host'? Google didnt show up any examples of /usr/bin/host being abused, at all!

    • Cory J
      Cory J over 10 years
      Host is for resolving DNS, it shouldn't be making HTTP requests at all. Maybe the binary that's doing the attack is named deceptively. I wouldn't trust any file integrity checks on the local machine, they may lie if the machine was compromised.
    • Moritz von Schweinitz
      Moritz von Schweinitz over 10 years
      i did 'updatedb' and 'locate host', and the only file called 'host' is /usr/bin/host. debsums is freshly installed. apt's signatures seem to be ok, too.
    • Cory J
      Cory J over 10 years
      locate can be patched. debsums can be patched. A binary can be ran and loaded into memory and then deleted from the filesystem.
    • Moritz von Schweinitz
      Moritz von Schweinitz over 10 years
      Yes, I am aware of the fact that anything could be patched and hacked, but it does get kind of unlikely at a certain point - e.g. if this maybe installed malware is so advanced that it patches debsums on-the-fly immediately after it has been installed, screws with the FS (or md5sum) ) so that it reports false values and so on - then why would it keep it's manevolent process in plain sight, eating up CPU cycles like mad? So, is there a probably good way of testing how this 'host' process is being launched? If the process' name has been changed after launch? rkhunter gives an all-clear, BTW.
    • voretaq7
      voretaq7 over 10 years
      @MoritzvonSchweinitz If you disagree with the closure of this question please open a discussion on Meta. Editing your question is not the proper way to raise objections to moderation decisions. Thanks :-)
    • matiu
      matiu about 10 years
      @voretaq7 I'm seeing the same thing on my server. I think this question should be reopened, as it is more specific than the proposed duplicate. (I don't know how to get to 'meta'). I'm not sure if it is to do with a compromise; my 'host' process has no scary open files and is not doing any scary UDP nor TCP packets, rkhunter didn't care about it. I'm wondering if it's some kind of DNS misconfiguration.
    • chilladx
      chilladx about 8 years
      It may be late, but I end up in the same situation. Turns out to be the exact same thing as in this post: forums.cpanel.net/threads/… (TL;DR: Wordpress compromised).
  • Moritz von Schweinitz
    Moritz von Schweinitz over 10 years
    so the 'host' process was running as www-data, and the lsof command showed me the wordpress installation that was to blame for the hassle. Updated and cleaned it out, and now everything's back to normal.
  • Marki555
    Marki555 almost 9 years
    Here is more detailed explanation serverfault.com/questions/705217/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Bind named service high cpu load
lots of dns requests from China, should I worry?
bind: blackhole for invalid recursive queries?
javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"sRAssignments"). Expected elements are
JQuery bind on Ajax success
Bind with coffeescript
Correct use of bind variables with dates in Oracle?
Tomcat with https a non-root user - Bind exception 443
Search through columns in a datagridview using textbox (vb.net)
Can we say that this is simple DDOS botnet?