hello,

i receive email from my provider. he complained that my server "scanned" the other one (in fact, provider of other server complained to my hosting provider).

they give me next report (ip addresses are hidden):


We have received the below report regarding an unauthorised activity
being carried out from an IP address that we have assigned to you.
Please investigate this report and take appropriate action, which should
be to find and fix the cause of the problem.

Please let us know when this activity has been stopped ASAP so we can
notify the parties which have reported this.

Failure to take action on this report within 24 hours may result in the
IP being taken offline until the problem can be resolved.

Below is original complaint we have received.
============================================================================
===

Dear Sir or Madam,

our monitoring system noticed a network scan (or network attack) from an
IP adress under your responsability.
Please take necessary actions to avoid this in future. Any feedback
would be appreciated. Please use the following link for your feedback:
http://abuse.XXX.ey/statements/?toke...45gupo34o5gu4o

Important note:
When you reply to us, please leave the abuse ID [AbuseID:123456:1B]
unchanged in the subject line.
You should get this information only a few minutes after the incident.
All timestamps are in european local time



Direction IN
Internal XX.YY.ZZ.VV
Threshold Packets 50.000 packets/s
Sum 133.946.000 packets/300s (446.486 packets/s), 22 flows/300s (0 flows/s), 5,364 GByte/300s (146 MBit/s)
External QQ.WW.EE.RR, 16.566.000 packets/300s (55.220 packets/s), 1 flows/300s (0 flows/s), 0,663 GByte/300s (18 MBit/s)
External AA.SS.DD.FF, 15.918.000 packets/300s (53.060 packets/s), 1 flows/300s (0 flows/s), 0,637 GByte/300s (17 MBit/s)
External ZZ.XX.CC.VV, 15.507.000 packets/300s (51.690 packets/s), 1 flows/300s (0 flows/s), 0,621 GByte/300s (16 MBit/s)
External PP.OO.II.UU, 15.343.000 packets/300s (51.143 packets/s), 1 flows/300s (0 flows/s), 0,614 GByte/300s (16 MBit/s)



can you tell me where and for what should i check?

it looks like somebody was on server, and that he done... don't know what...


please give me some advice.

thank you in advance!

Can you fill us in on the system in question? You know, things like operating system and running software? At any rate, it might not be a bad idea to take this machine offline until you can investigate. I wouldn't turn it off if you haven't already, just pull the network cable or put up a firewall that keeps out everything except local access or SSH from a trusted IP address.

These look like possible bot floods. If Windows, I'd say check for a bot connected possibly to a C&C, if Linux, possibly the same thing but in a script. Web apps in use? Perl? PHP?

it's machine with online shop application written in php. it also looks like bot floods for me.

first advice is useful, but i can not turn off network, because of shop application...

Here in the Linux Security forum we try to understand things beyond what is required for posting back one-liners. That means that if there is not enough information we ask questions. Given the questions asked you have got to be a lot more verbose than that. As root display and save to a text file and attach:
- OS and version ('\cat /etc/*release*; uname -a'),
- processes running ('\ps -axfwwwe'),
- open files ('\lsof -Pwnp'),
- network connections ('\netstat -antupe'),
- users connected ('\last; \lastlog'), plus
- web stack (webserver, PHP/Perl, database) versions,
- name and version of the shop application,
- last date the OS and components were updated,
- running services and services provided (system and web stack so don't forget any web or service panels or user-accessible URI's),
- measures in place ('cat /proc/net/ip_tables_names | xargs -iT iptables -vxnL --line-numbers -t 'T'; cat /etc/hosts.*'),
- any package manager you ran for integrity verification or tools like Tiger, Aide, Samhain, Chkrootkit, Rootkit Hunter, LSAT (do not install if not available already),
- check and run commands from the CERT Intruder Detection Checklist archived at at http://web.archive.org/web/200801092...checklist.html


It may not be the case but if the machine may be compromised then your online shop may be compromised. That is not only bad for business but letting the situation exist unmitigated can harm other systems. So please keep the option open. In any case first respond to questions asked.

Is you "online shop application written in php" a home grown application or a well known, well trusted, well tested, off the shelf or open source application?
You may have a problem with cross-site scripting or HTML injection. Basically, someone uses a form that accepts input on your site to execute code that performs the actions.

Unfortunately, until the OP posts back with some actual facts, any sort of diagnosis is going to be nothing but unadulterated speculation.

1 members found this post helpful.

My advice is lock down the server. OR at the VERY least, install security software such as fail2ban (my personal favorite) and be sure that you have a strong password...

Just an FYI, if you are operating a shopping site that accepts credit cards (and I assume it is,) you can technically be held responsible for any unauthorized transaction that your user have faced... Just be careful, look at your logs (httpd,mysql,ssh) scan for questionable activities....

Unfortunately until the OP posts back details such "advice" is way too generic.

hello,

now after few months, i have same problem.

all i have is report from provider:

Log entries related to these addresses (times are in CEST (UTC +02:00)):
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
0613.12:26:23.983 0613.12:27:45.143 145 xxx.yy.zz.q 32906 269 ppp.qqq.rr.1 22 17 0 158233 6804019
0613.12:27:45.145 0613.12:28:49.501 145 xxx.yy.zz.q 32906 269 ppp.qqq.rr.1 22 17 0 39449 1696307
0613.12:32:09.947 0613.12:32:14.669 145 xxx.yy.zz.q 32908 553 ppp.qqq.rr.2 22 17 0 8861 381023
0613.12:43:14.871 0613.12:44:47.420 145 xxx.yy.zz.q 32912 269 ppp.qqq.rr.6 22 17 0 8334005 358362215
0613.12:44:47.422 0613.12:46:23.390 145 xxx.yy.zz.q 32912 269 ppp.qqq.rr.6 22 17 0 8739423 375795189
0613.12:46:23.390 0613.12:47:18.481 145 xxx.yy.zz.q 32912 269 ppp.qqq.rr.6 22 17 0 4951330 212907190



... where xxx.yy.zz.q is my ip address and ppp.qqq.rr. are addresses of other servers.

what will be your advice, what to do?


just to mention, last time provider closed incident by himself, because "they did not have enough information" from server that was attacked.


tnx in adv!

Well, that really isn't any surprise at all. Unless there is an investigation, odds are the original flaws get put right back in where they can be exploited by the same people all over again. However, in your case I suspect the original problem never got addressed in the first place.

Re-read unSpawn's original post in this thread. Absolutely every single one of those questions still stands. Until you start providing this information, you'll only get useless advice.


Well, the problem here isn't the server being attacked, but the server doing the attacking, and apparently that server is yours. In other words, unless you did something (and if you did you need to post details), then you're still looking at the original problem being in place.

Let me be clear.... There is no magic wand here. There is no super button you click to make it all better. You need to do some digging to see if your machine has been compromised and is being used outside of your control. You'll get help here, but you need to start providing some real information.

@ proNick -- In post #5 you were asked to provide a number of different data and outputs from files & commands on the machine in question. Please re-visit post #5 and consider all of the points mentioned, and provide the information requested; the log snippet you did provide does not tell folks anything much at all, certainly not enough to go about suggesting "what to do." short of wiping & reinstalling the entire system, updating every package to its latest release or security patch level, and configuring/hardening the system to make it as secure as possible, before putting it into active service again.

Put yourself in the attacker's shoes...

You've successfully 0wn3d a shopping application website and potentially have 100's of credit card numbers + other customer data. Why would you scan other servers knowing that it could tip off the actual owners of the webserver that you've p0wn3ed?

I have a good guess, but I'd like to see what others think of.

I respectfully ask LQ members to wait with discussing anything else until the OP has posted back the required information as not to disturb troubleshooting. If you can't wait please open your own thread and refer back to this one. TIA for understanding.

Ok, tnx, there was some intruder, but it will be ok.

special thank to unSpawn on advices.