/usr/bin/host being used in HTTP DDoS on Debian? [duplicate]

So I got an abuse complaint for one of my dedicated servers, running Debian 6.0

Sure enough, sometimes, top shows /usr/bin/host using a lot of CPU for no apparent reason, and netstat shows process host doing a lot of HTTP requests.

After while, my syslog even says nf_conntrack: table full, dropping packet., which i assume has something to do with this matter.

I have verified the executable /usr/bin/host using debsums, and is seems to be fine, too. The server as such is 100% updated, too.

So i am guessing something is somehow calling my host executable and coercing it to do HTTP requests for some DDoS.

I could of course simply hack together a script to killall host as soon as this is happening, but I would really like to know where the problem originates from.

I am checking the Apache logs for interesting entries around the time that host is starting to do its requestst, but haven’t found anything yet.

Anyone have a recommendation on what else to do? How can I see who and what called 'host'? Google didnt show up any examples of /usr/bin/host being abused, at all!


Solution 1:

ps aux

Should show you the user running the process and the full command line. You might find more info with

lsof | grep pid

This will show you any of the processes open files, including libraries, terminals, etc.

Also check out the files in /proc/pid. (/proc/pid/environ, /proc/pid/cmdline, /proc/pid/status):

man proc

But if you suspect some malicious hanky-panky, you can't really trust any of these things. I'd be backing up important data and verifying its integrity. If you REALLY don't want to wipe the drive then at least take it offline to dd the disk for analysis, or use a liveCD to mount it and check md5s, run scans, etc.