high number of outbound UDP packets originating from your server: disabled

[jgas]

hi I got my server disable.
here I attached the ticket of my hosting.. can it be connected with xenforo?
I'm using version 1.1.2 . Ifi upgrade can I fix the problem?
I'm contacting you to advise of activity that has occurred this evening that has required us to intervene and disable your server.

At approximately 1930 this evening we detected intermittent connectivity indicative of packet loss on the firewall that began to interrupt services to other customers. On investigation the source of this interruption was found to be a high number of outbound UDP packets originating from your servers IP address.

As a result of this activity we have had no choice but to shut down this server until such time as further investigation can be carried out. Please let us know when you are ready to proceed with this and we will make arrangements to have the machine re-enabled for debugging purposes.

If you have any queries regarding this please don't hesitate to get in touch.

 

[Biker]

What else are you running on the server other than XenForo. Because the cause of you getting shut down wasn't because of the forum software.

Streaming video and games would definitely cause something like this.

 

[Digital Doctor]

Why are all hosts super crazy unhelpful ?

 

[Biker]

Why do forum owners rent server space without knowing the basics or check to see what they're running isn't impacting server performance? This isn't a host issue.

 

[CTXMedia]

Ask them what port the packets were going out on?

 

[Mike Edge]

Why do forum owners rent server space without knowing the basics or check to see what they're running isn't impacting server performance? This isn't a host issue.

Not always... In my case for example, OVH were just complete idiots claiming forum mailers as SPAM.

 

[Biker]

Not always... In my case for example, OVH were just complete idiots claiming forum mailers as SPAM.

But email isn't sent via UDP.

 

[jgas]

So what's sent via udp?
Guys I never had a problem like that. I also have a simple wordpress (updated) with just a couple of well known plugins installed. And updated.

 

[Biker]

So what's sent via udp?
Guys I never had a problem like that. I also have a simple wordpress (updated) with just a couple of well known plugins installed. And updated.

If you haven't installed anything (like streaming video or games), then you'll need to work with your host to determine what the cause is and what program is causing a flood of UDP traffic to slow things down. Is this a shared server? VPS? Dedicated?

 

[jgas]

it's a VPS hosting.
And I didn't install anyting like video streaming or games... there are just a few old mp3s of my users, that nobody listen to anymore, because we encouraged users to upload to youtube or soundcloud....

Now that I think about it, one html page has a simple "!contact me" script to send emails to my address. Could that be the problem?

 

[Biker]

Doubtful. Again, email doesn't use UDP packets.

You really need to work with your provider to determine what the cause is. As it's a VPS, you should also learn how to read your security logs and keep tabs on what your server is sending out on a daily basis.

 

[TPerry]

So what's sent via udp?
Guys I never had a problem like that. I also have a simple wordpress (updated) with just a couple of well known plugins installed. And updated.

Ask your host for the port # that they are showing.
Once you find the port # from your host, if you have shell access, do a

netstat -a -n -p|grep :port#

.
Get the PID for what's running on that port with

lsof -i UDP:port#

and then check the PID with

lsof -p PID#

, which should tell you all related programs... that's if I remember correctly.
Here is a link to TCP/UDP port #'s.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

 

[WSWD]

Why are all hosts super crazy unhelpful ?

When you purchase an unmanaged VPS, that's what you should expect. If you can't manage and secure a server appropriately, you buy a managed server, or you use a 3rd party management service. It isn't the host's responsibility.

Do you have Wordpress or Joomla anywhere on that VPS? Those are commonly hacked and will allow people to install scripts that send outbound attacks.

It's going to be a moot point if the VPS is suspended, but if they allow you to bring it back online, try logging all the connections using iptables or such.

 

[TPerry]

Do you have Wordpress or Joomla anywhere on that VPS? Those are commonly hacked and will allow people to install scripts that send outbound attacks.
It's going to be a moot point if the VPS is suspended, but if they allow you to bring it back online, try logging all the connections using iptables or such.

He said he had an "updated" WordPress - one of the reasons that for mine, I have them running on a spare VPS and not my dedicated servers. If they get trashed - oh well it's easy enough to self-provision the VPS again with the OS.
If his host knows that it is excessive UDP packets, they should be able to provide him with the port that's hitting their firewall - so that will knock down some of the research he has to do.

 

[jgas]

Thanks tracy!! I will do it!!

By the way....

One week after re-enabling my server, I obviously had another attack.

The port was number 80.

What do you think it may be about?

By the way, I planned with the hosting company to enable the server again tomorrow at a planned hour to download the logs.

I know how to log in via ssh and putty, but not what to write to download the logs.

Could you please tell me the exact lines of code to paste to download the logs to my pc?

Thanks very much =)

 

[TPerry]

Thanks tracy!! I will do it!!

By the way....

One week after re-enabling my server, I obviously had another attack.

The port was number 80.

What do you think it may be about?

By the way, I planned with the hosting company to enable the server again tomorrow at a planned hour to download the logs.

I know how to log in via ssh and putty, but not what to write to download the logs.

Could you please tell me the exact lines of code to paste to download the logs to my pc?

Thanks very much =)

Port 80 is the standard HTTP port (but it should be TCP not UDP).
If you can read the log files, you should be able to FTP them to your system itself and just use a standard editor (notepad++ on a Windows machine or just Mac's text edit) to read it.
I just generally use SCP to retrieve a file if I need it (scp user@host:directory/SourceFile TargetFile).

 

[TPerry]

Some info on UDP port 80 and DDOS attack.

http://seclists.org/nanog/2012/Feb/277
http://mailman.nanog.org/pipermail/nanog/2012-February/045024.html
http://www.linuxforums.org/forum/security/188550-ddos-my-server-2nd-time.html

Do you have a GOOD password for your SSH login (best to use SSH keys)?
Do you have a GOOD backup of your forum directory? If so (and it was working fine at that time), archive up your current structure and replace it with the backup and see if the problem persists... or check your index.php to make sure that there is not any modified code in it.
Your index.php should consist of

<?php

$startTime = microtime(true);
$fileDir = dirname(__FILE__);
require($fileDir . '/library/XenForo/Autoloader.php');
XenForo_Autoloader::getInstance()->setupAutoloader($fileDir . '/library');
XenForo_Application::initialize($fileDir . '/library', $fileDir);
XenForo_Application::set('page_start_time', $startTime);
$fc = new XenForo_FrontController(new XenForo_Dependencies_Public());
$fc->run();

If it has more than that and you didn't add it in then you have a problem.
BTW, you DID change your admin name for WordPress to something else, correct?

 

[jgas]

Actually no backup :/
But as soon as I change hosting, I will get one.

Now that my website is offline, only ssh is enabled.

I tried to use the code: " scp root@host:/var/log/secure file.txt" to download the log but I'm not sure that it's correct... (in fact I got an error message...)

 

[jgas]

solved it loggin in with filezilla!

I got lots of

Jun 5 19:31:04 musicadigitale-net sshd[8726]: Failed password for root from ::ffff:xxx.xx.x.x.x port 38662 ssh2


what could it mean?

 

[TPerry]

solved it loggin in with filezilla!

I got lots of

Jun 5 19:31:04 musicadigitale-net sshd[8726]: Failed password for root from ::ffff:xxx.xx.x.x.x port 38662 ssh2


what could it mean?

Several things... depending on what the xxx.xx.x.x.x is. If it is the IP of your ISP/computer, then it means you keep forgetting your SSH password.
If it is NOT the IP of your ISP/computer, then someone is trying to hack in as root (which, if you are on VPS you should have remote logons via SSH from root disabled anyway).
You can always check the IP's online and see where they come back to.
Here is a sample of my auth.log

Jun  9 20:41:22 alpha sshd[7155]: Invalid user ubnt from 67.205.67.135
Jun  9 20:41:22 alpha sshd[7155]: input_userauth_request: invalid user ubnt [preauth]
Jun  9 20:41:22 alpha sshd[7155]: Received disconnect from 67.205.67.135: 11: Bye Bye [preauth]
Jun  9 20:41:22 alpha sshd[7157]: Invalid user vyatta from 67.205.67.135
Jun  9 20:41:22 alpha sshd[7157]: input_userauth_request: invalid user vyatta [preauth]
Jun  9 20:41:22 alpha sshd[7157]: Received disconnect from 67.205.67.135: 11: Bye Bye [preauth]
Jun  9 20:41:22 alpha sshd[7159]: Invalid user pi from 67.205.67.135
Jun  9 20:41:22 alpha sshd[7159]: input_userauth_request: invalid user pi [preauth]
Jun  9 20:41:22 alpha sshd[7159]: Received disconnect from 67.205.67.135: 11: Bye Bye [preauth]
Jun  9 20:41:23 alpha sshd[7161]: Invalid user D-Link from 67.205.67.135
Jun  9 20:41:23 alpha sshd[7161]: input_userauth_request: invalid user D-Link [preauth]
Jun  9 20:41:23 alpha sshd[7161]: Received disconnect from 67.205.67.135: 11: Bye Bye [preauth]

And a successful logon using publickey's (and you DO need to research this and set it up for SSH a VPS/Dedicated server) but screwed up SU for root (forgot one letter out of the now 23 for the password)

Jun  9 22:53:31 alpha sshd[21009]: Accepted publickey for <blanked out> from 124.249.169.204 port 50871 ssh2
Jun  9 22:53:41 alpha su[21093]: pam_unix(su:auth): authentication failure; logname=<blanked out> uid=1000 euid=0 tty=/dev/pts/2 ruser=<blanked out> rhost=  user=root
Jun  9 22:53:44 alpha su[21093]: pam_authenticate: Authentication failure
Jun  9 22:53:44 alpha su[21093]: FAILED su for root by <blanked out>
Jun  9 22:53:44 alpha su[21093]: - /dev/pts/2 <blanked out>:root
Jun  9 22:53:49 alpha su[21094]: Successful su for root by <blanked out>0
Jun  9 22:53:49 alpha su[21094]: + /dev/pts/2 <blanked out>:root
Jun  9 22:53:49 alpha su[21094]: pam_unix(su:session): session opened for user root by <blanked out>(uid=1000)