View Single Post
Old 29th May 2013, 14:22
Nioubee Nioubee is offline
Junior Member
Join Date: Nov 2011
Posts: 17
Thanks: 3
Thanked 0 Times in 0 Posts

Originally Posted by monkfish View Post
That's absolutely interesting!

Please don't get me wrong - I am not suggesting you are doing anything wrong.

I do understand that you don't have a server at Hetzner (actually if you are looking to move from OVH then I'd say take a look at Hetzner - their service has been brilliant )
This will be what i gonna do if these problem of spoofed IP address don't stop.

Originally Posted by monkfish View Post
It actually ties direct in with my suspicions there is some kind of directed attack towards the hetzner network. Lookup those addresses in the last text file you've posted and most of them resolve to hetzner hosts.

What you haven't answered is whether or not you have any kind of webservice or daemon running on port 80 on that particular machine. If not, perhaps traffic is being spoofed from elsewhere. How about an iptables rule to block outgoing tcp port 80. Does it go away?
There is no daemon or web services on theses machines, i took a moment on each VPS to confirm it.

Originally Posted by monkfish View Post
Whether its spoofed or not you are caught in the middle here with an unresponsive ISP who is pointing the finger at you by sending you a text file implying your server is one of the offenders.
These Abuse Messages is not sent by OVH but by Hetzner, i rents some IP address to the RIPE but by OVH.

Originally Posted by monkfish View Post
Do you know at what point in their network they are monitoring this? Are they certain its traffic coming from your server and not spoofed from elsewhere? What happens if you log all outbound traffic from your server? Anything showing? I'd be asking OVH to prove your machine is in fact generating that traffic.
Is Munin data logs can be used as a proof ?

Originally Posted by monkfish View Post
Are the binaries on your server intact - ie have not been tampered with in anyway - is "netstat -tanpu" giving you proper output? What about "lsof" - does that show up any spurious items? What about iptraf? Does that show you anything?
See attached files

About IPTraf, i am getting only known IP addresses, MySQL Port, SSH port (my remote), My Master ISPConfig Databse Server, BIND traffic, nothing else
Attached Files
File Type: txt lsof.txt (88.8 KB, 79 views)
File Type: txt netstat-tanpu.txt (6.9 KB, 60 views)
Reply With Quote