I need security help... complaints from my dedicated server provider
system red hat 9
I reviced two e-mails now from my dedicated server provider about complaints about portscans and hack atempts from my computer:
those are mails send to my hosting provider:
This message is intended for the person responsible for computer
security at your site. If this is not the correct address, please
forward this message to the appropriate party.
Our logs show that malicious attempts were made from your network
against machines in our domain. This is definitely not an authorized
request and we view it as an attempt to probe our network for a
vulnerability.
Please see that your customer/user ceases this activity. Quite
probably it is in violation of your terms of service agreement. At
the bottom of this message I have attached a part of our log files in
order to help you track down the perpetrator (All times are GMT-3).
I would appreciate a reply that this note has been received.
Messages from our syslog
========================================================================
Aug 29 21:23:00 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.51 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=33211 DF PROTO=TCP SPT=53621 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:00 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.50 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45586 DF PROTO=TCP SPT=53620 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:03 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.50 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45587 DF PROTO=TCP SPT=53620 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:03 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.51 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=33212 DF PROTO=TCP SPT=53621 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>
security at your site. If this is not the correct address, please
forward this message to the appropriate party.
Our logs show that malicious attempts were made from your network
against machines in our domain. This is definitely not an authorized
request and we view it as an attempt to probe our network for a
vulnerability.
Please see that your customer/user ceases this activity. Quite
probably it is in violation of your terms of service agreement. At
the bottom of this message I have attached a part of our log files in
order to help you track down the perpetrator (All times are GMT-3).
I would appreciate a reply that this note has been received.
Messages from our syslog
========================================================================
Aug 29 21:23:00 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.51 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=33211 DF PROTO=TCP SPT=53621 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:00 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.50 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45586 DF PROTO=TCP SPT=53620 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:03 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.50 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=45587 DF PROTO=TCP SPT=53620 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>Aug 29 21:23:03 cadeado kernel: IN=eth1 OUT= MAC=00:e0:7d:cb:0e:c5:00:07:0e:e5:6f:54:08:00 SRC=66.79.170.120 DST=200.232.22.51 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=33212 DF PROTO=TCP SPT=53621 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
<br>
Greetings,
I am seeing a number of scans from this address which is apparently
under your control. The relevant owner's host might be compromised,
infected with a worm or have some other problem.
Sample logs are below and UTC offset is +1000 (Brisbane).
Aug 26 20:41:08 66.79.170.x:38398 -> 203.5.112.16:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38399 -> 203.5.112.17:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38402 -> 203.5.112.20:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38404 -> 203.5.112.22:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38407 -> 203.5.112.25:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38408 -> 203.5.112.26:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38410 -> 203.5.112.28:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38409 -> 203.5.112.27:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38412 -> 203.5.112.30:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38413 -> 203.5.112.31:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38445 -> 203.5.112.63:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38395 -> 203.5.112.13:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38397 -> 203.5.112.15:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38396 -> 203.5.112.14:443 SYN ******S*
I am seeing a number of scans from this address which is apparently
under your control. The relevant owner's host might be compromised,
infected with a worm or have some other problem.
Sample logs are below and UTC offset is +1000 (Brisbane).
Aug 26 20:41:08 66.79.170.x:38398 -> 203.5.112.16:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38399 -> 203.5.112.17:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38402 -> 203.5.112.20:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38404 -> 203.5.112.22:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38407 -> 203.5.112.25:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38408 -> 203.5.112.26:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38410 -> 203.5.112.28:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38409 -> 203.5.112.27:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38412 -> 203.5.112.30:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38413 -> 203.5.112.31:443 SYN ******S*
Aug 26 20:41:05 66.79.170.x:38445 -> 203.5.112.63:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38395 -> 203.5.112.13:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38397 -> 203.5.112.15:443 SYN ******S*
Aug 26 20:41:08 66.79.170.x:38396 -> 203.5.112.14:443 SYN ******S*
I puted x at the end to mask my IP .. because someone might as well use this bug.. hmm
I need help and advice. What sould I do. Where to look. What to block. I only will add that I dont provide any of my clients with shell accounts. I'm using only cpanel/WHM stuff.
