[HETZNER OVH] NetscanInLevel : Netscan detected
Good day everyone,
I own a ISPConfig3 multi server setup, and since i bought a server from OVH.com i've received three "Abuse" from Hetzner, they told me, this is the third time it happen from a netscan, from a third VPS, i've checked all logs but don't find anything inside, did a rootkit check, checked that root login is disabled and changed all password from SSH.
What should i do ? I do own a virtualization server in Switzerland and don't get any abuse report from them ! Is there system scr*wed ?
EDIT : i've just received my 4th alert from hetzner :
Hello - your post is interesting as I am affected from the other side!
See the destination address - that resolves to a server on the Hetzner network in germany. I have various servers all over their network and am currently being plagued with rogue traffic all from OVH 22.214.171.124/15 subnet.
I don't know if its some kind of attack directed at Hetzner or whether its outgoing traffic in general but I do know that OVH have a major problem right now. I also know I am less than satisfied with the lack of response from OVH when I highlighted the potential problem to them this morning - seemed they couldn't care less.
Since roughly 201305270100Z I have had literally hundreds of hosts from the above range performing portscans on all of my equipment.
Here's an example (MAC address remove and IP's changed to protect the innocent)
I think somebody has managed to find an exploit on http services, eg webscript, sql injection, rogue php script or similar.
Check all your websites for rogue scripts, unfamiliar files, unfamiliar process running under http user. Use iptraf or tcpdump to monitor network traffic, use rkhunter or similar rootkit detection tools to see if you can narrow it down. Watch outgoing bandwidth then stop http service - you might find it decreases.
If you have any particular portal running it might be useful to check on that portals homepage or forum see if you have latest patches etc, or whether somebody has found a new exploit. It is rather confusing however to see so many hosts on one concentrated network compromised all at the same time.
Finally if you have any direct line into somebody who will listen at OVH then I have a 200mb firewall log that will detail potentially compromised hosts. Since then however, I have changed my firewall to silently discard the whole subnet whilst this attack is ongoing.
I wish you luck in finding the source of your woes!
I've not received any other abuse from hetzner right now, i've enabled the ISPConfig firewall on all servers, the things, i never received any of them with my primary multi server setup in Switzerland... (no firewall installed at all, but enabled now)
I didn't know that we can run a netscan from a DNS server/Mail server / SQL Server without a firewall, SSH logs don't show anything abnormal
I am still plagued with rogue traffic coming from OVH network but that is a different story. Trying to get OVH to acknowledge it is futile. This is occuring only a few weeks after a large-scale Bitcoin hack on servers hosted by them.
Never mind - see the log you were sent - suggests to me that its apache/ngingx that generated that traffic.
Did you look at the sites on your server? Are there any suspicious files on there, any recently changed files? Any spurious activity to/from your server?
Perhaps a "tcpdump port 80" or similar might reveal something.
On the firewall side, maybe if its relevant to you consider outgoing traffic rulesets as well as incoming. Checkout http://www.fwbuilder.org/ for a wonderful GUI tool for implementing firewall rulesets.
Thanks for the software, i will look at it.
There is no web server installed on the slaves servers being used for the netscan
My ISP - CH :
ISPConfig Master only Web enabled
SQL Server 1
Mail Server 1
DNS Server 1
DNS Server 2
OVH - FR :
Web server 2 (currently not reported by hetzner)
SQL Server 2
DNS Server 3
DNS Server 4
Only SQL and DNS Server #3 & #4 hosted by OVH was used for the netscan. Like said above, these VPS does not have any web server installed on them.
Each VPS have their own public IP addresses.
Sorry, I don't follow
Can you clarify, the server you stated above that was reported as performing malicious activity...
Also, when you say netscan - is it your own machines you are portscanning or other peoples?
I think i will cancel my rented server, i received the 5th abuse message, but this time this is my broadcast address
That's absolutely interesting!
Please don't get me wrong - I am not suggesting you are doing anything wrong.
I do understand that you don't have a server at Hetzner (actually if you are looking to move from OVH then I'd say take a look at Hetzner - their service has been brilliant )
It actually ties direct in with my suspicions there is some kind of directed attack towards the hetzner network. Lookup those addresses in the last text file you've posted and most of them resolve to hetzner hosts.
What you haven't answered is whether or not you have any kind of webservice or daemon running on port 80 on that particular machine. If not, perhaps traffic is being spoofed from elsewhere. How about an iptables rule to block outgoing tcp port 80. Does it go away?
Whether its spoofed or not you are caught in the middle here with an unresponsive ISP who is pointing the finger at you by sending you a text file implying your server is one of the offenders.
Do you know at what point in their network they are monitoring this? Are they certain its traffic coming from your server and not spoofed from elsewhere? What happens if you log all outbound traffic from your server? Anything showing? I'd be asking OVH to prove your machine is in fact generating that traffic.
Are the binaries on your server intact - ie have not been tampered with in anyway - is "netstat -tanpu" giving you proper output? What about "lsof" - does that show up any spurious items? What about iptraf? Does that show you anything?
About IPTraf, i am getting only known IP addresses, MySQL Port, SSH port (my remote), My Master ISPConfig Databse Server, BIND traffic, nothing else
Thanks for that. Nothing jumping out in your txt files as I'm sure you're aware.
I think then the traffic is being spoofed somewhere else on the OVH network and you're caught in the middle.
What does OVH say about that? Are they seeing any spurious traffic on their network? Why would their network configuration allow traffic seemingly from your broadcast address?
Here's how a part of it looks from my side, a tcpdump:
You can prove to them that its not your machine so they should work with you accordingly to discover the source of this problem. I wouldn't be surprised if its connected with that bitcoin hack a few weeks ago and some kind of retaliation to try and sully their reputation.
|All times are GMT +2. The time now is 18:50.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.