Hi,
I recently noticed that my wireless router was acting weird everyday. If I bounced it it was fine for couple of minutes and then things got worse: nobody seemed to be able to connect to it, if they could the internet was slow.
It happened for 2 days then out of desperation I disconnect the Ubuntu server (Apache 2.2) connected via Gigabit cable. Strangely things started to look normal. I then looked at the router log and there were a tons of access from various IPs around the world to my web server. Apparently the router cannot handle such traffic.
Also, I remember the day when this DDOS occured, when I ssh'ed to the server, it said the host changed and possible Man-in-middle attack. When I looked at the log /var/log/auth.log
there were tons of failed attempts to su from www-data user. At this point I thought I was f*cked. So I decided to take down the server until I know what the hell is going on.
Is there anybody interested in helping me to anwser questions:
- What happened to my server? How could its ssh key or setting changed?
- What could be done to get rid of the DDoS?
I have everything in my server for forensic!
This is just my personal server anyway, nothing important.
Thanks in advance.