ThuyDX
Just another WordPress.com site
Category Archives: security
Intrution detection: Sipvicious attack
March 25, 2011
Posted by on 1. The symptom.
Observation of network traffic showed that, a server sent a lot of udp sip packets to a foreign destination. This udp flooding consumed bandwidth and raised alarm when services are slower than usual. For network traffic observation tcpdump… can be used.
2. Find out which process sends the packets.
TODO:
‘top’ showed an active process named httpd :-). It could easily be bypassed because on this is on a webserver. ‘ps aux | grep httpd’ showed the full command of the trojan ‘httpd’. A better way to trace all connection is to use ‘lsof’.
top, lsof …
3.
Recent Comments