View Single Post
  #8  
Old 29th May 2013, 13:14
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

That's absolutely interesting!

Please don't get me wrong - I am not suggesting you are doing anything wrong.

I do understand that you don't have a server at Hetzner (actually if you are looking to move from OVH then I'd say take a look at Hetzner - their service has been brilliant )

It actually ties direct in with my suspicions there is some kind of directed attack towards the hetzner network. Lookup those addresses in the last text file you've posted and most of them resolve to hetzner hosts.

What you haven't answered is whether or not you have any kind of webservice or daemon running on port 80 on that particular machine. If not, perhaps traffic is being spoofed from elsewhere. How about an iptables rule to block outgoing tcp port 80. Does it go away?

Whether its spoofed or not you are caught in the middle here with an unresponsive ISP who is pointing the finger at you by sending you a text file implying your server is one of the offenders.

Do you know at what point in their network they are monitoring this? Are they certain its traffic coming from your server and not spoofed from elsewhere? What happens if you log all outbound traffic from your server? Anything showing? I'd be asking OVH to prove your machine is in fact generating that traffic.

Are the binaries on your server intact - ie have not been tampered with in anyway - is "netstat -tanpu" giving you proper output? What about "lsof" - does that show up any spurious items? What about iptraf? Does that show you anything?

Last edited by monkfish; 29th May 2013 at 13:16.
Reply With Quote