udp attack

[Raied@]

Hello

Recently We have received mails from a hosting company that one of our server is sending udp attach and this is the message:

This is an automatic message that will not be sent anymore when the event below ceases.
We detected an attack to our network that come from an IP owned by your ASN.
The IP off your network *.*.*.* was infected and are sending attack to our network
(*.*.*.*). Follow below our logs that you can take proper actions.

how can I be sure that is true and if it is ... how can i detect who is sending this attack from our hosting server.

any help will be appreciated..

Thanks

 

[dynamicnet]

Greetings:

Please check the server for suspicious files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox, /var/spool/squid, and /var/spool/cron Please use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.

Please also check the process tree (ps -efl or ps -auwx) for suspicious processes; often times the malware / hack pretends to be an Apache process.

Clam Anti-virus, clamscan, can also be used to find commonly used PHP and Perl-based hacks, including various php shells, on a server using the --infected and --recursive options.

You may also want to check out using root kit detection tools - http://www.chkrootkit.org/, http://www.rootkit.nl/, and http:// http://www.ossec.net/en/rootcheck.html as tools which should be used in addition to checking the directories and process tree.

http://forums.theplanet.com/index.php?showtopic=59486 is also a good source for learning about investigating a compromised server.

Thank you.

 

[atomicturtle]

I've started some basic procedures here as well:

http://www.atomicorp.com/wiki/index.php/Compromised_System