1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

high number of outbound UDP packets originating from your server: disabled

Discussion in 'Server Configuration and Hosting' started by jgas, Jun 5, 2013.

  1. jgas

    jgas Active Member

    hi I got my server disable.
    here I attached the ticket of my hosting.. can it be connected with xenforo?
    I'm using version 1.1.2 . Ifi upgrade can I fix the problem?
    I'm contacting you to advise of activity that has occurred this evening that has required us to intervene and disable your server.

    At approximately 1930 this evening we detected intermittent connectivity indicative of packet loss on the firewall that began to interrupt services to other customers. On investigation the source of this interruption was found to be a high number of outbound UDP packets originating from your servers IP address.

    As a result of this activity we have had no choice but to shut down this server until such time as further investigation can be carried out. Please let us know when you are ready to proceed with this and we will make arrangements to have the machine re-enabled for debugging purposes.

    If you have any queries regarding this please don't hesitate to get in touch.
    Last edited by a moderator: Jun 5, 2013
  2. Biker

    Biker Well-Known Member

    What else are you running on the server other than XenForo. Because the cause of you getting shut down wasn't because of the forum software.

    Streaming video and games would definitely cause something like this.
    Adam Howard likes this.
  3. Digital Doctor

    Digital Doctor Well-Known Member

    Why are all hosts super crazy unhelpful ?
  4. Biker

    Biker Well-Known Member

    Why do forum owners rent server space without knowing the basics or check to see what they're running isn't impacting server performance? This isn't a host issue.
  5. CyclingTribe

    CyclingTribe Well-Known Member

    Ask them what port the packets were going out on?
    Tracy Perry likes this.
  6. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    Not always... In my case for example, OVH were just complete idiots claiming forum mailers as SPAM.
  7. Biker

    Biker Well-Known Member

    But email isn't sent via UDP. ;)
  8. jgas

    jgas Active Member

    So what's sent via udp?
    Guys I never had a problem like that. I also have a simple wordpress (updated) with just a couple of well known plugins installed. And updated.
  9. Biker

    Biker Well-Known Member

    If you haven't installed anything (like streaming video or games), then you'll need to work with your host to determine what the cause is and what program is causing a flood of UDP traffic to slow things down. Is this a shared server? VPS? Dedicated?
  10. jgas

    jgas Active Member

    it's a VPS hosting.
    And I didn't install anyting like video streaming or games... there are just a few old mp3s of my users, that nobody listen to anymore, because we encouraged users to upload to youtube or soundcloud....

    Now that I think about it, one html page has a simple "!contact me" script to send emails to my address. Could that be the problem?
  11. Biker

    Biker Well-Known Member

    Doubtful. Again, email doesn't use UDP packets.

    You really need to work with your provider to determine what the cause is. As it's a VPS, you should also learn how to read your security logs and keep tabs on what your server is sending out on a daily basis.
    Tracy Perry likes this.
  12. Tracy Perry

    Tracy Perry Well-Known Member

    Ask your host for the port # that they are showing.
    Once you find the port # from your host, if you have shell access, do a
    netstat -a -n -p|grep :port#
    Get the PID for what's running on that port with
    lsof -i UDP:port#
    and then check the PID with
    lsof -p PID#
    , which should tell you all related programs... that's if I remember correctly.
    Here is a link to TCP/UDP port #'s.

    jgas and CyclingTribe like this.
  13. WSWD

    WSWD Well-Known Member

    When you purchase an unmanaged VPS, that's what you should expect. If you can't manage and secure a server appropriately, you buy a managed server, or you use a 3rd party management service. It isn't the host's responsibility.

    Do you have Wordpress or Joomla anywhere on that VPS? Those are commonly hacked and will allow people to install scripts that send outbound attacks.

    It's going to be a moot point if the VPS is suspended, but if they allow you to bring it back online, try logging all the connections using iptables or such.
  14. Tracy Perry

    Tracy Perry Well-Known Member

    He said he had an "updated" WordPress - one of the reasons that for mine, I have them running on a spare VPS and not my dedicated servers. If they get trashed - oh well it's easy enough to self-provision the VPS again with the OS. :p
    If his host knows that it is excessive UDP packets, they should be able to provide him with the port that's hitting their firewall - so that will knock down some of the research he has to do.
  15. jgas

    jgas Active Member

    Thanks tracy!! I will do it!!

    By the way....

    One week after re-enabling my server, I obviously had another attack.

    The port was number 80.

    What do you think it may be about?

    By the way, I planned with the hosting company to enable the server again tomorrow at a planned hour to download the logs.

    I know how to log in via ssh and putty, but not what to write to download the logs.

    Could you please tell me the exact lines of code to paste to download the logs to my pc?

    Thanks very much =)
  16. Tracy Perry

    Tracy Perry Well-Known Member

    Port 80 is the standard HTTP port (but it should be TCP not UDP).
    If you can read the log files, you should be able to FTP them to your system itself and just use a standard editor (notepad++ on a Windows machine or just Mac's text edit) to read it.
    I just generally use SCP to retrieve a file if I need it (scp user@host:directory/SourceFile TargetFile).
    Last edited: Jun 8, 2013
    jgas likes this.
  17. Tracy Perry

    Tracy Perry Well-Known Member

    Some info on UDP port 80 and DDOS attack.


    Do you have a GOOD password for your SSH login (best to use SSH keys)?
    Do you have a GOOD backup of your forum directory? If so (and it was working fine at that time), archive up your current structure and replace it with the backup and see if the problem persists... or check your index.php to make sure that there is not any modified code in it.
    Your index.php should consist of
    $startTime = microtime(true);
    $fileDir = dirname(__FILE__);
    require($fileDir . '/library/XenForo/Autoloader.php');
    XenForo_Autoloader::getInstance()->setupAutoloader($fileDir . '/library');
    XenForo_Application::initialize($fileDir . '/library', $fileDir);
    XenForo_Application::set('page_start_time', $startTime);
    $fc = new XenForo_FrontController(new XenForo_Dependencies_Public());
    If it has more than that and you didn't add it in then you have a problem.
    BTW, you DID change your admin name for WordPress to something else, correct?
    Last edited: Jun 8, 2013
    CyclingTribe likes this.
  18. jgas

    jgas Active Member

    Actually no backup :/
    But as soon as I change hosting, I will get one.

    Now that my website is offline, only ssh is enabled.

    I tried to use the code: " scp root@host:/var/log/secure file.txt" to download the log but I'm not sure that it's correct... (in fact I got an error message...)
  19. jgas

    jgas Active Member

    solved it loggin in with filezilla!

    I got lots of

    Jun 5 19:31:04 musicadigitale-net sshd[8726]: Failed password for root from ::ffff:xxx.xx.x.x.x port 38662 ssh2

    what could it mean?
  20. Tracy Perry

    Tracy Perry Well-Known Member

    Several things... depending on what the xxx.xx.x.x.x is. If it is the IP of your ISP/computer, then it means you keep forgetting your SSH password. :p
    If it is NOT the IP of your ISP/computer, then someone is trying to hack in as root (which, if you are on VPS you should have remote logons via SSH from root disabled anyway).
    You can always check the IP's online and see where they come back to.
    Here is a sample of my auth.log
    Jun  9 20:41:22 alpha sshd[7155]: Invalid user ubnt from
    Jun  9 20:41:22 alpha sshd[7155]: input_userauth_request: invalid user ubnt [preauth]
    Jun  9 20:41:22 alpha sshd[7155]: Received disconnect from 11: Bye Bye [preauth]
    Jun  9 20:41:22 alpha sshd[7157]: Invalid user vyatta from
    Jun  9 20:41:22 alpha sshd[7157]: input_userauth_request: invalid user vyatta [preauth]
    Jun  9 20:41:22 alpha sshd[7157]: Received disconnect from 11: Bye Bye [preauth]
    Jun  9 20:41:22 alpha sshd[7159]: Invalid user pi from
    Jun  9 20:41:22 alpha sshd[7159]: input_userauth_request: invalid user pi [preauth]
    Jun  9 20:41:22 alpha sshd[7159]: Received disconnect from 11: Bye Bye [preauth]
    Jun  9 20:41:23 alpha sshd[7161]: Invalid user D-Link from
    Jun  9 20:41:23 alpha sshd[7161]: input_userauth_request: invalid user D-Link [preauth]
    Jun  9 20:41:23 alpha sshd[7161]: Received disconnect from 11: Bye Bye [preauth]
    And a successful logon using publickey's (and you DO need to research this and set it up for SSH a VPS/Dedicated server) but screwed up SU for root (forgot one letter out of the now 23 for the password)

    Jun  9 22:53:31 alpha sshd[21009]: Accepted publickey for <blanked out> from port 50871 ssh2
    Jun  9 22:53:41 alpha su[21093]: pam_unix(su:auth): authentication failure; logname=<blanked out> uid=1000 euid=0 tty=/dev/pts/2 ruser=<blanked out> rhost=  user=root
    Jun  9 22:53:44 alpha su[21093]: pam_authenticate: Authentication failure
    Jun  9 22:53:44 alpha su[21093]: FAILED su for root by <blanked out>
    Jun  9 22:53:44 alpha su[21093]: - /dev/pts/2 <blanked out>:root
    Jun  9 22:53:49 alpha su[21094]: Successful su for root by <blanked out>0
    Jun  9 22:53:49 alpha su[21094]: + /dev/pts/2 <blanked out>:root
    Jun  9 22:53:49 alpha su[21094]: pam_unix(su:session): session opened for user root by <blanked out>(uid=1000)
    Last edited: Jun 10, 2013
    CyclingTribe likes this.

Share This Page