For the 4th time RS pulls the plug of one of my servers because of AUP violations. The motive is the following:
Source IP ( My IP )
Destination IP 200.151.94.175
Sample of CAP
0.0130 seconds ellapsed in capture
50.53 Mbps to 200.151.94.175
5887 PPS inbound to 200.151.94.175
0 PPS outbound from 200.151.94.175
Re-crunch on keyword: Exclude sources with:
All packets inbound or outbound to 200.151.94.175
2 2004-03-24 09:19:15.942163 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 17692
5 2004-03-24 09:19:15.942187 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 46573
13 2004-03-24 09:19:15.942253 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 11379
22 2004-03-24 09:19:15.943162 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 23245
25 2004-03-24 09:19:15.943178 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 28350
26 2004-03-24 09:19:15.943187 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 50053
28 2004-03-24 09:19:15.943199 64.246.60.42 -> 200.151.94.175 UDP Source port: 57505 Destination port: 3436
... etc
They don't explain hoe it happens, why, etc.. I have done a few restore's and I'm getting realy tired of this.
Can you help?
Full Version: Problem with server. No idea whats happening
If this is a box that you have clients on I would check to make sure none of them have upload a harmful script or program to the server.
And how does he discover that?
Do you allow shell (ssh or telnet) access?
Do you have a firewall installed?
Have you tried running chkrootkit?
As lippy said chances are some client is uploading someting malicious if you have not been hacked. First step is to see how they are getting in, like ssh or some vuln then work from there. Depending on how many clients you have you should go though each one and see if they might be causing it by looking at the files they are hosting. It is a pain staking process but if you don't properly secure your server this will happen and sometimes even if you do secure your server.
Do you have a firewall installed?
Have you tried running chkrootkit?
As lippy said chances are some client is uploading someting malicious if you have not been hacked. First step is to see how they are getting in, like ssh or some vuln then work from there. Depending on how many clients you have you should go though each one and see if they might be causing it by looking at the files they are hosting. It is a pain staking process but if you don't properly secure your server this will happen and sometimes even if you do secure your server.
The clients dont have SSH access.
I have APF installed. I also have Fast Management Server configuring the server.
I am unnable to run chkrootkit since the machine is now unplugged, but when it was up i had no security problems, exept for the Bind Shell, that RS told me it was a false positive.
I have more than 100 clients on that server and some of them have more than 300MB in files, so it is "impossible" to see by hand they're files.
What now? I quit and go home?
I have APF installed. I also have Fast Management Server configuring the server.
I am unnable to run chkrootkit since the machine is now unplugged, but when it was up i had no security problems, exept for the Bind Shell, that RS told me it was a false positive.
I have more than 100 clients on that server and some of them have more than 300MB in files, so it is "impossible" to see by hand they're files.
What now? I quit and go home?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.