Had a client running on our virtual machine infrastructure who we saw starting to generate really high outbound traffic. This in turn would affect other infrastructure as it attempted to cope with 1Gb of outbound traffic.
After some basic analysis we determined the outbound traffic was UDP, originating from the clients server and heading back to the internet (in this case a host in Brazil). After doing an initial packet capture from the host we were seeing that the UDP Traffic data was all 'X' characters. Google searches for anything that may generate this kind of traffic was inconslusive, What I did find however in searching for outbound UDP flooding was a blog entry that discussed the use of a PHP script (http://scott.cm/outbound-dos/) which pointed me in the direction of looking for a script kiddie script.
In going through the packet capture again, I found that we'd actually (luckily) captured the initial http request from the external party who was kicking off the flood (it was luck becuase I was originally only kicking off the capture when I saw the flooding begin on our real time graphing).
What we saw:
http://www.host.sample/403.php?act=phptools&host=x.x.x.x&time=460&port=80
Given that x.x.x.x was then the host that we were flooding UDP out to, kind of a coincidence to see the ip was in the request.
Taking a look on the server then yielded the 403.php file. It was pretty simple, and ultimately did the following:
$fp = fsockopen('udp://'.$host, $rand, $errno, $errstr, 5);
If you google this string you'll find it around in a number of scripts. Additional to 403.php we found 404.php which appears to be a gzencoded shell app which once running on the server allows you to do a number of items. Additional to this was 'a.php' which looks like it was a vulnerability scanner.
Ultimately we cleaned off the scripts, alerted the client of the issue and moved on with real work.
