I got a phone call earlier today from Bytemark, who host a VPS server for me. I’ve had this box with them for a couple of years, and it’s been good.
However, it seems some idiot script-kiddie has used a vulnerability in some webapp to download and run a Perl script named udp.pl to do a UDP DoS against another server (something IRC related).
This had been happening since late Friday evening, and the excess bandwidth charge came to over £80 :( Now I don’t blame Bytemark for charging me really, they’ll be charged for the traffic so they have to pass it on – I blame the bastard who was abusing my server, and myself for (a) not having kept up to date enough, and (b) not noticing quicker (if I’d looked at my mrtg traffic graphs over the weekend I’d have instantly seem that something was amiss).
I’ve not been able to find any evidence as to how the attack came in, but I suspect it may have been WordPress – I hadn’t upgraded from 2.1.2, and apparently there was a remote code exploit in PHPMailer, which WP used, so WP was vulenerable to it. Other possibilities are Dokuwiki (which I’ve updated to latest version) and Gallery, which I’ve deleted.
On the plus side, I’m pretty sure they didn’t get actual access to the box beyond running their flooding script, although I’m still nervous trusting it, so I think I’ll have to move everything off it ASAP anyway.
In the meantime it’s behaving itself. Really not a good day today – slept through my alarm somehow and woke way, way late for work, then have this shite to deal with this evening… bah, hope tomorrow is better!
Lesson learned: make much more effort to stay up to date with all software; keep a much closer eye on the system; install Tripwire or similar; be more vigilant.