Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th May 2013, 00:20
Nioubee Nioubee is offline
Junior Member
 
Join Date: Nov 2011
Posts: 17
Thanks: 3
Thanked 1 Time in 1 Post
Default [HETZNER OVH] NetscanInLevel : Netscan detected

Good day everyone,

I own a ISPConfig3 multi server setup, and since i bought a server from OVH.com i've received three "Abuse" from Hetzner, they told me, this is the third time it happen from a netscan, from a third VPS, i've checked all logs but don't find anything inside, did a rootkit check, checked that root login is disabled and changed all password from SSH.

What should i do ? I do own a virtualization server in Switzerland and don't get any abuse report from them ! Is there system scr*wed ?

EDIT : i've just received my 4th alert from hetzner :

Code:
##########################################################################
#               Netscan detected from host  178.32.***.***               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Mon May 27 00:11:18 2013 TCP  178.32.***.*** 80    =>   78.46.119.133 1234
Reply With Quote
Sponsored Links
  #2  
Old 28th May 2013, 00:38
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

Hello - your post is interesting as I am affected from the other side!

See the destination address - that resolves to a server on the Hetzner network in germany. I have various servers all over their network and am currently being plagued with rogue traffic all from OVH 178.32.0.0/15 subnet.

I don't know if its some kind of attack directed at Hetzner or whether its outgoing traffic in general but I do know that OVH have a major problem right now. I also know I am less than satisfied with the lack of response from OVH when I highlighted the potential problem to them this morning - seemed they couldn't care less.

Since roughly 201305270100Z I have had literally hundreds of hosts from the above range performing portscans on all of my equipment.

Here's an example (MAC address remove and IP's changed to protect the innocent)

Code:
May 27 22:10:38 server1 kernel: RULE 14 -- DENY IN=eth0 OUT= MAC= SRC=178.32.x.x DST=46.4.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=80 DPT=63571 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Every single dropped packet from OVH network has TCP SPT 80, ie http traffic.

I think somebody has managed to find an exploit on http services, eg webscript, sql injection, rogue php script or similar.

Check all your websites for rogue scripts, unfamiliar files, unfamiliar process running under http user. Use iptraf or tcpdump to monitor network traffic, use rkhunter or similar rootkit detection tools to see if you can narrow it down. Watch outgoing bandwidth then stop http service - you might find it decreases.

If you have any particular portal running it might be useful to check on that portals homepage or forum see if you have latest patches etc, or whether somebody has found a new exploit. It is rather confusing however to see so many hosts on one concentrated network compromised all at the same time.

Finally if you have any direct line into somebody who will listen at OVH then I have a 200mb firewall log that will detail potentially compromised hosts. Since then however, I have changed my firewall to silently discard the whole subnet whilst this attack is ongoing.

I wish you luck in finding the source of your woes!

Last edited by monkfish; 28th May 2013 at 00:49.
Reply With Quote
  #3  
Old 28th May 2013, 13:28
Nioubee Nioubee is offline
Junior Member
 
Join Date: Nov 2011
Posts: 17
Thanks: 3
Thanked 1 Time in 1 Post
Default

Hello,

I've not received any other abuse from hetzner right now, i've enabled the ISPConfig firewall on all servers, the things, i never received any of them with my primary multi server setup in Switzerland... (no firewall installed at all, but enabled now)

I didn't know that we can run a netscan from a DNS server/Mail server / SQL Server without a firewall, SSH logs don't show anything abnormal
Reply With Quote
  #4  
Old 28th May 2013, 14:11
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

Hello Nioubee,

I am still plagued with rogue traffic coming from OVH network but that is a different story. Trying to get OVH to acknowledge it is futile. This is occuring only a few weeks after a large-scale Bitcoin hack on servers hosted by them.

Never mind - see the log you were sent - suggests to me that its apache/ngingx that generated that traffic.

Did you look at the sites on your server? Are there any suspicious files on there, any recently changed files? Any spurious activity to/from your server?

Perhaps a "tcpdump port 80" or similar might reveal something.

On the firewall side, maybe if its relevant to you consider outgoing traffic rulesets as well as incoming. Checkout http://www.fwbuilder.org/ for a wonderful GUI tool for implementing firewall rulesets.
Reply With Quote
  #5  
Old 28th May 2013, 14:59
Nioubee Nioubee is offline
Junior Member
 
Join Date: Nov 2011
Posts: 17
Thanks: 3
Thanked 1 Time in 1 Post
Default

Hello monkfish,

Thanks for the software, i will look at it.
There is no web server installed on the slaves servers being used for the netscan

My ISP - CH :
ISPConfig Master only Web enabled
SQL Server 1
Mail Server 1
DNS Server 1
DNS Server 2

OVH - FR :
Web server 2 (currently not reported by hetzner)
SQL Server 2
DNS Server 3
DNS Server 4

Only SQL and DNS Server #3 & #4 hosted by OVH was used for the netscan. Like said above, these VPS does not have any web server installed on them.
Each VPS have their own public IP addresses.
Reply With Quote
  #6  
Old 28th May 2013, 15:52
monkfish monkfish is offline
HowtoForge Supporter
 
Join Date: Mar 2013
Posts: 106
Thanks: 9
Thanked 15 Times in 14 Posts
Default

Sorry, I don't follow

Can you clarify, the server you stated above that was reported as performing malicious activity...

Quote:
Mon May 27 00:11:18 2013 TCP 178.32.***.*** 80 => 78.46.119.133 1234
That is one of your OVH ones? Are you saying you don't think you have a web server running on it? In which case I'd suggest you check that server as there is some process kicking out traffic from tcp port 80 which is what that network report is submitted for.

Also, when you say netscan - is it your own machines you are portscanning or other peoples?
Reply With Quote
Reply

Bookmarks

Tags
abuse, hetzner, netscan

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tried to compile a kernel but: bryzf Kernel Questions 0 19th January 2013 23:48
fail2ban.filter : INFO Log rotation detected for /var/log/mail.log dynamind Installation/Configuration 1 18th July 2011 09:53
Autoresponder Not working b00gz Installation/Configuration 10 28th October 2010 21:58


All times are GMT +2. The time now is 05:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.