Somewhere on my server...

Is a nasty script which does the following:

-Grabs an IP address of someone visiting my server
-Uses that IP address to attempt a brute force attack to one of many ports or services

The result is:

-apf/bfd locks that user's IP address out of the server
-server load goes very high

I tried an OS Reload and that got rid of it for a while (of course), but I'm afraid it dwells in one of my user's accounts because restoring accounts after securing the server caused the attacks to start again. The attacks seem to be increasing in intensity lately. I've been looking for this thing for months and I have no idea how to find it.

My final solution will be to do another OS Reload and simply not restore people's accounts. Before taking such a drastic step I thought I would check and see if anyone recognized this or had any more hints in how to find it.

Typical Cpanel/WHM setup
Red Hat Enterprise 3
Kernel Version: 2.4.21-32.0.1.EL

 

 

 

 

Top