Hetzner - NetscanOutLevel: Netscan detected

Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Hetzner - NetscanOutLevel: Netscan detected

Ouiki

Bonjour à tous,

Cela va faire maintenant plus de 4 fois que je doit débloquer et reconfigurer depuis le début mon serveur.
En effet, je reçois systématiquement un mail de chez Hetzner me disant qu'il subissent des attaques DDOS depuis l'ip de mon serveu.
Et donc si je ne résout pas le problème dans un certain délai le serveur peut et est en génaral bloquer dans les heures qui suivent.

Je m'adresse donc à vous pour savoir comment pourrai je résoudre ce probleme? est ce avec fail2ban ? ou autre ? je ne sais pas.

mais voici un extrait de le mail :

Dear Mr _____, 

We have indications that there was an attack from your server. 
Please take all necessary measures to avoid this in the future and to solve the issue. 

We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it. 
In the event that the following steps are not completed successfully, your server can be blocked at any time after the 2016-04-21 12:01:05 +0200. 

How to proceed: 
- Solve the issue 
- Test if the issue still exists by using the following link: [url]http://abuse.hetzner.de/retries/?token=fbdaf585813386081486deac0[/url] 
- After successfully testing that the issue is resolved, send us a statement by using the following link: [url]http://abuse.hetzner.de/statements/?token=fbdaf13386081486d[/url] 

Important note: 
When replying to us, please leave the abuse ID [AbuseID:34497F:23] unchanged in the subject line. Manual replies will only be handled in the event of a lock down. Should you have any questions relating to this, please contact our support staff at support@hetzner.de. 

Kind regards 

Hetzner-Support 

Hetzner Online GmbH 
Industriestr. 25 
91710 Gunzenhausen / Germany 
Tel: +49 9831 505-0 
Fax: +49 9831 505-3 
abuse@hetzner.de 
[url=http://www.hetzner.com]www.hetzner.com[/url] 

Register Court: Registergericht Ansbach, HRB 6089 
CEO: Martin Hetzner 

On 20 Apr 22:00, root@monitoring2.rz1.hetzner.de wrote: 
> ########################################################################## 
> # Netscan detected from host 99.76.43.146 # 
> ########################################################################## 
> 
> time protocol src_ip src_port dest_ip dest_port 
> --------------------------------------------------------------------------- 
> Wed Apr 20 21:52:27 2016 TCP 99.76.43.146 35206 => 54.58.90.113 6141 
> Wed Apr 20 21:52:28 2016 TCP 99.76.43.146 35206 => 54.58.90.113 6141 
> Wed Apr 20 21:52:30 2016 TCP 99.76.43.146 35206 => 54.58.90.113 6141 
> Wed Apr 20 21:52:34 2016 TCP 99.76.43.146 35206 => 54.58.90.113 6141 
> Wed Apr 20 21:56:05 2016 TCP 99.76.43.146 50845 => 54.58.89.92 34735 
> Wed Apr 20 21:56:06 2016 TCP 99.76.43.146 50845 => 54.58.89.92 34735 
> Wed Apr 20 21:56:36 2016 TCP 99.76.43.146 50845 => 54.58.89.92 34735 
> Wed Apr 20 21:57:05 2016 TCP 99.76.43.146 51763 => 54.58.37.187 33340 
> Wed Apr 20 21:57:09 2016 TCP 99.76.43.146 51763 => 54.58.37.187 33340 
> Wed Apr 20 21:57:17 2016 TCP 99.76.43.146 51763 => 54.58.37.187 33340 
> Wed Apr 20 21:51:19 2016 TCP 99.76.43.146 49555 => 54.58.92.133 27665 
> Wed Apr 20 21:51:35 2016 TCP 99.76.43.146 49555 => 54.58.92.133 27665 
> Wed Apr 20 21:48:21 2016 TCP 99.76.43.146 49539 => 240.21.54.58 20087 
> Wed Apr 20 21:48:28 2016 TCP 99.76.43.146 49539 => 240.21.54.58 20087 
> Wed Apr 20 21:51:20 2016 TCP 99.76.43.146 46566 => 54.58.173.179 32402 
> Wed Apr 20 21:59:37 2016 TCP 99.76.43.146 47867 => 54.58.173.179 32402 
> Wed Apr 20 21:57:05 2016 TCP 99.76.43.146 46717 => 54.58.195.154 57715 
> Wed Apr 20 21:57:09 2016 TCP 99.76.43.146 46717 => 54.58.195.154 57715 
> Wed Apr 20 21:57:17 2016 TCP 99.76.43.146 46717 => 54.58.195.154 57715 
> Wed Apr 20 21:54:46 2016 TCP 99.76.43.146 55206 => 54.58.46.105 27590 
> Wed Apr 20 21:59:00 2016 TCP 99.76.43.146 46192 => 54.58.95.211 24359 
> Wed Apr 20 21:59:00 2016 TCP 99.76.43.146 46192 => 54.58.95.211 24359 
> Wed Apr 20 21:59:03 2016 TCP 99.76.43.146 46192 => 54.58.95.211 24359 
> Wed Apr 20 21:59:30 2016 TCP 99.76.43.146 39331 => 54.58.78.242 53824 
> Wed Apr 20 21:59:31 2016 TCP 99.76.43.146 39331 => 54.58.78.242 53824 
> Wed Apr 20 21:59:33 2016 TCP 99.76.43.146 39331 => 54.58.78.242 53824 
> Wed Apr 20 21:59:37 2016 TCP 99.76.43.146 39331 => 54.58.78.242 53824 
> Wed Apr 20 21:47:44 2016 TCP 99.76.43.146 34556 => 54.58.83.154 62635 
> Wed Apr 20 21:47:52 2016 TCP 99.76.43.146 34556 => 54.58.83.154 62635 
> Wed Apr 20 21:57:44 2016 TCP 99.76.43.146 35968 => 54.58.83.154 62635 
> Wed Apr 20 21:57:05 2016 TCP 99.76.43.146 49626 => 54.58.62.210 27730 
> Wed Apr 20 21:55:58 2016 TCP 99.76.43.146 57718 => 192.9.54.58 24166 
> Wed Apr 20 21:55:59 2016 TCP 99.76.43.146 57718 => 192.9.54.58 24166 
> Wed Apr 20 21:56:05 2016 TCP 99.76.43.146 57718 => 192.9.54.58 24166 
> Wed Apr 20 21:56:29 2016 TCP 99.76.43.146 57718 => 192.9.54.58 24166 
> Wed Apr 20 21:59:37 2016 TCP 99.76.43.146 44765 => 54.58.78.199 51754 
> Wed Apr 20 21:52:27 2016 TCP 99.76.43.146 42737 => 54.58.92.90 39941 
> Wed Apr 20 21:52:30 2016 TCP 99.76.43.146 42737 => 54.58.92.90 39941 
> Wed Apr 20 21:55:58 2016 TCP 99.76.43.146 40806 => 54.58.213.211 36893 
> Wed Apr 20 21:55:59 2016 TCP 99.76.43.146 40806 => 54.58.213.211 36893 
> Wed Apr 20 21:56:05 2016 TCP 99.76.43.146 40806 => 54.58.213.211 36893 
> Wed Apr 20 21:56:29 2016 TCP 99.76.43.146 40806 => 54.58.213.211 36893 
> Wed Apr 20 21:53:00 2016 TCP 99.76.43.146 36177 => 54.58.88.172 37482 
> Wed Apr 20 21:53:01 2016 TCP 99.76.43.146 36177 => 54.58.88.172 37482 
> Wed Apr 20 21:53:03 2016 TCP 99.76.43.146 36177 => 54.58.88.172 37482 
> Wed Apr 20 21:59:37 2016 TCP 99.76.43.146 52044 => 251.153.54.58 20489 
> Wed Apr 20 21:47:53 2016 TCP 99.76.43.146 52093 => 54.58.89.158 5047 
> Wed Apr 20 21:59:01 2016 TCP 99.76.43.146 53776 => 54.58.89.158 5047 
> Wed Apr 20 21:56:51 2016 TCP 99.76.43.146 58031 => 56.223.54.58 21453 
> Wed Apr 20 21:57:05 2016 TCP 99.76.43.146 58031 => 56.223.54.58 21453 
> Wed Apr 20 21:56:05 2016 TCP 99.76.43.146 49391 => 215.136.54.58 20491 
> Wed Apr 20 21:56:06 2016 TCP 99.76.43.146 49391 => 215.136.54.58 20491 
> Wed Apr 20 21:56:36 2016 TCP 99.76.43.146 49391 => 215.136.54.58 20491 
> Wed Apr 20 21:55:58 2016 TCP 99.76.43.146 41228 => 198.132.54.58 21237 
> Wed Apr 20 21:56:00 2016 TCP 99.76.43.146 41228 => 198.132.54.58 21237 
> Wed Apr 20 21:56:04 2016 TCP 99.76.43.146 41228 => 198.132.54.58 21237 
> Wed Apr 20 21:48:37 2016 TCP 99.76.43.146 37934 => 54.58.86.210 53321 
> Wed Apr 20 21:56:04 2016 TCP 99.76.43.146 47170 => 54.58.82.239 44108 
> Wed Apr 20 21:56:05 2016 TCP 99.76.43.146 47170 => 54.58.82.239 44108 
> Wed Apr 20 21:56:35 2016 TCP 99.76.43.146 47170 => 54.58.82.239 44108 
> Wed Apr 20 21:52:00 2016 TCP 99.76.43.146 56592 => 54.58.82.234 26147 
> Wed Apr 20 21:52:31 2016 TCP 99.76.43.146 56592 => 54.58.82.234 26147 
> Wed Apr 20 21:59:03 2016 TCP 99.76.43.146 58465 => 54.58.91.121 41658 
> Wed Apr 20 21:59:09 2016 TCP 99.76.43.146 58465 => 54.58.91.121 41658 
> Wed Apr 20 21:59:33 2016 TCP 99.76.43.146 58465 => 54.58.91.121 41658 
> Wed Apr 20 21:54:17 2016 TCP 99.76.43.146 54458 => 54.58.178.33 15732 
> Wed Apr 20 21:50:44 2016 TCP 99.76.43.146 45202 => 251.92.54.58 47264 
> Wed Apr 20 21:51:00 2016 TCP 99.76.43.146 45202 => 251.92.54.58 47264 
> Wed Apr 20 21:51:14 2016 TCP 99.76.43.146 49567 => 54.58.85.27 19888 
> Wed Apr 20 21:51:20 2016 TCP 99.76.43.146 49567 => 54.58.85.27 19888 
> Wed Apr 20 21:54:49 2016 TCP 99.76.43.146 53512 => 54.58.80.9 17181 
> Wed Apr 20 21:53:36 2016 TCP 99.76.43.146 41603 => 160.215.54.58 7970 
> Wed Apr 20 21:54:46 2016 TCP 99.76.43.146 58874 => 54.58.107.171 40735 
> Wed Apr 20 22:00:03 2016 TCP 99.76.43.146 33426 => 54.58.193.90 3160 
> Wed Apr 20 21:57:09 2016 TCP 99.76.43.146 50764 => 54.58.78.210 55476 
> Wed Apr 20 21:58:03 2016 TCP 99.76.43.146 35644 => 54.58.90.224 5012 
> Wed Apr 20 21:57:44 2016 TCP 99.76.43.146 46799 => 54.58.151.80 11873 
> Wed Apr 20 21:54:49 2016 TCP 99.76.43.146 50113 => 54.58.86.219 19445 
> Wed Apr 20 21:53:36 2016 TCP 99.76.43.146 56919 => 54.58.90.112 44527 
> Wed Apr 20 21:57:05 2016 TCP 99.76.43.146 45203 => 54.58.90.30 18262 
> Wed Apr 20 21:59:37 2016 TCP 99.76.43.146 60799 => 54.58.81.248 20659 
> Wed Apr 20 21:51:00 2016 TCP 99.76.43.146 43080 => 54.58.89.88 61672 
> Wed Apr 20 21:51:15 2016 TCP 99.76.43.146 43080 => 54.58.89.88 61672 
> Wed Apr 20 21:51:20 2016 TCP 99.76.43.146 38771 => 115.104.54.58 9849

Voici aussi le dernier rapport fail2ban :

################### Logwatch 7.4.0 (03/01/11) #################### 
Processing Initiated: Thu Apr 21 06:25:04 2016 
Date Range Processed: yesterday 
( 2016-Apr-20 ) 
Period is day. 
Detail Level of Output: 0 
Type of Output/Format: mail / text 
Logfiles for Host: Debian-83-jessie-64-minimal 
################################################################## 

--------------------- nginx Begin ------------------------ 

Connection attempts using mod_proxy: 
104.148.71.133 -> www.baidu.com:443: 1 Time(s) 
111.248.60.63 -> 126mx00.mxmail.netease.com:25: 1 Time(s) 

A total of 1 sites probed the server 
169.229.3.91 

Requests with error response codes 
400 Bad Request 
126mx00.mxmail.netease.com:25: 1 Time(s) 
null: 1 Time(s) 
www.baidu.com:443: 1 Time(s) 
401 Unauthorized 
/EVE: 2 Time(s) 
/rutorrent/: 1 Time(s) 
/rutorrent/php/getplugins.php: 1 Time(s) 
/rutorrent/plugins/check_port/action.php: 1 Time(s) 
/rutorrent/plugins/create/action.php: 1 Time(s) 
/rutorrent/plugins/trafic/action.php: 1 Time(s) 
404 Not Found 
//myadmin/scripts/setup.php: 1 Time(s) 
//pma/scripts/setup.php: 1 Time(s) 
/robots.txt: 1 Time(s) 
http://zc.qq.com/cgi-bin/common/attr?id=26 ... 398956453868388: 1 Time(s) 
http://zc.qq.com/cgi-bin/common/attr?id=26 ... 439625206303752: 1 Time(s) 

---------------------- nginx End ------------------------- 


--------------------- pam_unix Begin ------------------------ 

vsftpd: 
Authentication Failures: 
unknown (178.168.184.1): 1 Time(s) 
Invalid Users: 
Unknown Account: 1 Time(s) 


---------------------- pam_unix End ------------------------- 


--------------------- Postfix Begin ------------------------ 

4.273K Bytes accepted 4,376 
4.442K Bytes sent via SMTP 4,549 
4.273K Bytes forwarded 4,376 
======== ================================================== 

1 Accepted 100.00% 
-------- -------------------------------------------------- 
1 Total 100.00% 
======== ================================================== 

2 Removed from queue 
1 Sent via SMTP 
1 Forwarded 


---------------------- Postfix End ------------------------- 




--------------------- vsftpd-messages Begin ------------------------ 


Failed FTP Logins: 
(178.168.184.1): anonymous - 1 Time(s) 

---------------------- vsftpd-messages End ------------------------- 


--------------------- Disk Space Begin ------------------------ 

Filesystem Size Used Avail Use% Mounted on 
/dev/md2 197G 2.5G 185G 2% / 
udev 10M 0 10M 0% /dev 
/dev/md1 488M 35M 428M 8% /boot 
/dev/md3 5.3T 120G 4.9T 3% /home 


---------------------- Disk Space End ------------------------- 


###################### Logwatch End #########################

BXT

We have indications that there was an attack from your server.

A mon avis, tu as un keylogger sur ton PC

Ouiki

Donc comment faire pour résoudre le problème ?

lokiii

Formater ton ordi que tu utilises pour réinstaller ton serv, ou utilisez un autre ordi
(Dans le cas d un keyloger bien sur )

bmth

Faire un scan d'abord avant de penser à la solution ultime qui est le formatage non ?

kolgate

J'en reçois régulièrement des message de hetzner.
A ce sujet et des fois le plus drôle c'est qu'il m'envoie un deuxième mail pour me dire oups on a fait une erreur.

Dear Mr ,

Unfortunately you were mistakenly sent an abuse email. This was caused by an automated detection system. Please ignore the previous email, the abuse case has been closed.

Thank you for your understanding.