Intrution detection: Sipvicious attack

1. The symptom.

Observation of network traffic showed that, a server sent a lot of udp sip packets to a foreign destination. This udp flooding consumed bandwidth and raised alarm when services are slower than usual. For network traffic observation tcpdump… can be used.

2. Find out which process sends the packets.
TODO:

‘top’ showed an active process named httpd :-). It could easily be bypassed because on this is on a webserver. ‘ps aux | grep httpd’ showed the full command of the trojan ‘httpd’. A better way to trace all connection is to use ‘lsof’.
top, lsof …

3.