View Single Post
  #2  
Old 28th May 2013, 01:38
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

Hello - your post is interesting as I am affected from the other side!

See the destination address - that resolves to a server on the Hetzner network in germany. I have various servers all over their network and am currently being plagued with rogue traffic all from OVH 178.32.0.0/15 subnet.

I don't know if its some kind of attack directed at Hetzner or whether its outgoing traffic in general but I do know that OVH have a major problem right now. I also know I am less than satisfied with the lack of response from OVH when I highlighted the potential problem to them this morning - seemed they couldn't care less.

Since roughly 201305270100Z I have had literally hundreds of hosts from the above range performing portscans on all of my equipment.

Here's an example (MAC address remove and IP's changed to protect the innocent)

Code:
May 27 22:10:38 server1 kernel: RULE 14 -- DENY IN=eth0 OUT= MAC= SRC=178.32.x.x DST=46.4.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=80 DPT=63571 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Every single dropped packet from OVH network has TCP SPT 80, ie http traffic.

I think somebody has managed to find an exploit on http services, eg webscript, sql injection, rogue php script or similar.

Check all your websites for rogue scripts, unfamiliar files, unfamiliar process running under http user. Use iptraf or tcpdump to monitor network traffic, use rkhunter or similar rootkit detection tools to see if you can narrow it down. Watch outgoing bandwidth then stop http service - you might find it decreases.

If you have any particular portal running it might be useful to check on that portals homepage or forum see if you have latest patches etc, or whether somebody has found a new exploit. It is rather confusing however to see so many hosts on one concentrated network compromised all at the same time.

Finally if you have any direct line into somebody who will listen at OVH then I have a 200mb firewall log that will detail potentially compromised hosts. Since then however, I have changed my firewall to silently discard the whole subnet whilst this attack is ongoing.

I wish you luck in finding the source of your woes!

Last edited by monkfish; 28th May 2013 at 01:49.
Reply With Quote