Ubuntu Server attack? how to solve?

Posted by saky on Server Fault See other posts from Server Fault or by saky
Published on 2010-06-03T15:14:14Z Indexed on 2010/06/03 15:26 UTC
Read the original article Hit count: 344

Filed under:
|
|
|
|

Hello,

Something (Someone) is sending out UDP packets sent from our whole ip range. This seems to be multicast DNS.

Our server host provided this (Our IP Address is masked with XX):

Jun 3 11:02:13 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:23 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:32 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:35 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53

I checked my /var/log/auth.log file and found out that someone from China (Using ip-locator) was trying to get in to the server using ssh.

...
Jun  3 11:32:00 server2 sshd[28511]: Failed password for root from 202.100.108.25 port 39047 ssh2
Jun  3 11:32:08 server2 sshd[28514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.100.108.25  user=root
Jun  3 11:32:09 server2 sshd[28514]: Failed password for root from 202.100.108.25 port 39756 ssh2
Jun  3 11:32:16 server2 sshd[28516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.100.108.25  user=root
...

I have blocked that IP address using this command: sudo iptables -A INPUT -s 202.100.108.25 -j DROP

However, I have no clue about the UDP multicasting, what is doing this? who is doing it? and how I can stop it?

Anyone know?

© Server Fault or respective owner

Related posts about security

Related posts about ubuntu-server