So I got an abuse complaint for one of my dedicated servers, running Debian 6.0
Sure enough, sometimes, top
shows /usr/bin/host
using a lot of CPU for no apparent reason, and netstat shows process host
doing a lot of HTTP requests.
After while, my syslog even says nf_conntrack: table full, dropping packet.
, which i assume has something to do with this matter.
I have verified the executable /usr/bin/host
using debsums, and is seems to be fine, too. The server as such is 100% updated, too.
So i am guessing something is somehow calling my host
executable and coercing it to do HTTP requests for some DDoS.
I could of course simply hack together a script to killall host
as soon as this is happening, but I would really like to know where the problem originates from.
I am checking the Apache logs for interesting entries around the time that host
is starting to do its requestst, but haven’t found anything yet.
Anyone have a recommendation on what else to do? How can I see who and what called 'host'?
Google didnt show up any examples of /usr/bin/host
being abused, at all!
Should show you the user running the process and the full command line. You might find more info with
This will show you any of the processes open files, including libraries, terminals, etc.
Also check out the files in /proc/pid. (/proc/pid/environ, /proc/pid/cmdline, /proc/pid/status):
But if you suspect some malicious hanky-panky, you can't really trust any of these things. I'd be backing up important data and verifying its integrity. If you REALLY don't want to wipe the drive then at least take it offline to dd the disk for analysis, or use a liveCD to mount it and check md5s, run scans, etc.