Need Help - DDOS attack from my VPS

[Renegades]

Hi guys,

I got a phone call from my hosting provider telling me that there was a DDOS attack from my own VPS,
as I havent had virus problems on ubuntu I just googled an open source antivirus product and came to
ClamAV well installed it and ran a command to scan for virusses, nothing found but I want to be sure.

I got these services running atm:

TeamSpeak 3
Apache
MySQL
Postfix

Since I used TeamSpeak for online games such as world of warcraft, I got this feeling people are abusing it
and possibly use it for DDOS, or something else that got a false positive for DDOS.

I have done my best to secure it, like changing settings so no root logins are allowed over SSH, and setting
ownerships to users that have to have access to that folder etc.

Are there ways to make sure, that a DDOS has happened or has not happened from my server?

[d4rkcat]

LOL @ AV. Changing passwords won't make any difference at this point. It sounds like they already have root. You should ask the hosting provider to provide you details about what type of DoS they are performing, it might be an outdated joomla or wordpress plugin.
here's what I would do:

1. Take any files you need off the server.
2. Format the server
3. Install the Os again.
4. Put the files back.
5. Don't run whatever random crap you ran to get pwned.

[Renegades]

Does linux use a register like windows does? or can I just delete the services I dont need including any files I dont use, and then copy and paste the files/services I do need? Or just recheck my wordpress installation which I got installed?

[Syntax990]

Does linux use a register like windows does?

Nope

can I just delete the services I don't need including any files I don't use, and then copy and paste the files/services I do need??

You have been compromised, don't run the risk of it happening again. Reinstall and backup whatever is essential. Be careful that nothing you backup is compromised and just be generally vigilant

Since I used TeamSpeak for online games such as world of warcraft, I got this feeling people are abusing it and possibly use it for DDOS, or something else that got a false positive for DDOS.

Do whatever is necessary to not publicly disclose your IP address, that will minimise your chances of actually being attacked.

[M1lak0]

I suggest you to run a shell detector with php as a base on your server. That may help you finding backdoors if any.

[Renegades]

May i just point out the obvious... by stating that a single server does not 'DDoS'. The first D stands for Distributed. Your server could have been part of a DDoS attack... however it couldn't by definition be single handedly performing said attack...

Thanks for stating the obvious, wasnt aware of that.

I suggest you to run a shell detector with php as a base on your server. That may help you finding backdoors if any.

Very good tip, appriciate it, thanks for that.

Nope

You have been compromised, don't run the risk of it happening again. Reinstall and backup whatever is essential. Be careful that nothing you backup is compromised and just be generally vigilant

Do whatever is necessary to not publicly disclose your IP address, that will minimise your chances of actually being attacked.

You are absolutely right, its just that I am still learning ubuntu and its commands so I put alot of time into it, but in this case I really have to start over again, although I am thinking that D4rkcat is right and that wordpress or an old version of phpbb is to blame.

I might just remove wordpress and phpbb and see what has happened after 1 week.