Bonsoir,
J'ai un serveur chez Hetzner et on me fait remonter pour la 2e fois un netscan qui provient de mon serveur.
La plage d'adresse IP cible est situé aux US et apaprtient à whitehouse telecom
Tue May 3 09:12:47 2016 TCP 176.*.*.* 39514 => 54.58.5.39 20811
Tue May 3 09:12:49 2016 TCP 176.*.*.* 39514 => 54.58.5.39 20811
Tue May 3 09:12:53 2016 TCP 176.*.*.* 57895 => 249.31.54.58 22258
Tue May 3 09:12:53 2016 TCP 176.*.*.* 47390 => 54.58.78.207 46181
Tue May 3 09:12:45 2016 TCP 176.*.*.* 59037 => 54.58.163.172 2419
Tue May 3 09:12:46 2016 TCP 176.*.*.* 59037 => 54.58.163.172 2419
Tue May 3 09:12:48 2016 TCP 176.*.*.* 59037 => 54.58.163.172 2419
Tue May 3 09:12:52 2016 TCP 176.*.*.* 59037 => 54.58.163.172 2419
Tue May 3 09:12:44 2016 TCP 176.*.*.* 43267 => 54.58.78.231 28965
Tue May 3 09:12:45 2016 TCP 176.*.*.* 43267 => 54.58.78.231 28965
Tue May 3 09:12:47 2016 TCP 176.*.*.* 43267 => 54.58.78.231 28965
Tue May 3 09:12:51 2016 TCP 176.*.*.* 43267 => 54.58.78.231 28965
Tue May 3 09:12:53 2016 TCP 176.*.*.* 44280 => 54.58.78.231 28965
Tue May 3 09:12:46 2016 TCP 176.*.*.* 33138 => 54.58.5.135 39141
Tue May 3 09:12:47 2016 TCP 176.*.*.* 33138 => 54.58.5.135 39141
Tue May 3 09:12:49 2016 TCP 176.*.*.* 33138 => 54.58.5.135 39141
Tue May 3 09:12:46 2016 TCP 176.*.*.* 43265 => 54.58.81.220 36956
Tue May 3 09:12:47 2016 TCP 176.*.*.* 43486 => 54.58.81.220 36956
Tue May 3 09:12:47 2016 TCP 176.*.*.* 43265 => 54.58.81.220 36956
Tue May 3 09:12:48 2016 TCP 176.*.*.* 43486 => 54.58.81.220 36956
Tue May 3 09:12:49 2016 TCP 176.*.*.* 43265 => 54.58.81.220 36956
Tue May 3 09:12:50 2016 TCP 176.*.*.* 43486 => 54.58.81.220 36956
Tue May 3 09:12:28 2016 TCP 176.*.*.* 34464 => 54.58.141.255 36956
Tue May 3 09:12:44 2016 TCP 176.*.*.* 46581 => 54.58.37.187 416
Tue May 3 09:12:45 2016 TCP 176.*.*.* 46581 => 54.58.37.187 416
Tue May 3 09:12:47 2016 TCP 176.*.*.* 46581 => 54.58.37.187 416
Tue May 3 09:12:51 2016 TCP 176.*.*.* 46581 => 54.58.37.187 416
Tue May 3 09:12:24 2016 TCP 176.*.*.* 48988 => 54.58.90.27 17715
Tue May 3 09:12:44 2016 TCP 176.*.*.* 56175 => 54.58.176.146 39979
Tue May 3 09:12:45 2016 TCP 176.*.*.* 56175 => 54.58.176.146 39979
Tue May 3 09:12:46 2016 TCP 176.*.*.* 56603 => 54.58.176.146 39979
Tue May 3 09:12:47 2016 TCP 176.*.*.* 56603 => 54.58.176.146 39979
Tue May 3 09:12:47 2016 TCP 176.*.*.* 56935 => 54.58.176.146 39979
Tue May 3 09:12:47 2016 TCP 176.*.*.* 56175 => 54.58.176.146 39979
Tue May 3 09:12:48 2016 TCP 176.*.*.* 56935 => 54.58.176.146 39979
Tue May 3 09:12:49 2016 TCP 176.*.*.* 56603 => 54.58.176.146 39979
Tue May 3 09:12:50 2016 TCP 176.*.*.* 56935 => 54.58.176.146 39979
Tue May 3 09:12:51 2016 TCP 176.*.*.* 56175 => 54.58.176.146 39979
Tue May 3 09:12:46 2016 TCP 176.*.*.* 36794 => 54.58.88.160 1454
Tue May 3 09:12:46 2016 TCP 176.*.*.* 36892 => 54.58.88.160 1454
Tue May 3 09:12:47 2016 TCP 176.*.*.* 36794 => 54.58.88.160 1454
Tue May 3 09:12:47 2016 TCP 176.*.*.* 36837 => 54.58.88.160 1454
Tue May 3 09:12:47 2016 TCP 176.*.*.* 36892 => 54.58.88.160 1454
Tue May 3 09:12:49 2016 TCP 176.*.*.* 36794 => 54.58.88.160 1454
Tue May 3 09:12:49 2016 TCP 176.*.*.* 36837 => 54.58.88.160 1454
Tue May 3 09:12:49 2016 TCP 176.*.*.* 36892 => 54.58.88.160 1454
Tue May 3 09:12:53 2016 TCP 176.*.*.* 39751 => 54.58.5.135 42021
Tue May 3 09:12:53 2016 TCP 176.*.*.* 60179 => 54.58.88.169 7305
Tue May 3 09:12:28 2016 TCP 176.*.*.* 56160 => 54.58.5.196 19782
Tue May 3 09:12:46 2016 TCP 176.*.*.* 38559 => 54.58.176.31 62238
Tue May 3 09:12:47 2016 TCP 176.*.*.* 38559 => 54.58.176.31 62238
Tue May 3 09:12:49 2016 TCP 176.*.*.* 38559 => 54.58.176.31 62238
Tue May 3 09:12:53 2016 TCP 176.*.*.* 34170 => 54.58.88.166 37922
Tue May 3 09:12:46 2016 TCP 176.*.*.* 58825 => 54.58.37.48 31938
Tue May 3 09:12:47 2016 TCP 176.*.*.* 58825 => 54.58.37.48 31938
Tue May 3 09:12:49 2016 TCP 176.*.*.* 58825 => 54.58.37.48 31938
Tue May 3 09:12:28 2016 TCP 176.*.*.* 42711 => 54.58.151.80 26898
Tue May 3 09:12:24 2016 TCP 176.*.*.* 57722 => 54.58.90.112 23039
Tue May 3 09:12:45 2016 TCP 176.*.*.* 33447 => 54.58.82.235 11568
Tue May 3 09:12:46 2016 TCP 176.*.*.* 33447 => 54.58.82.235 11568
Tue May 3 09:12:48 2016 TCP 176.*.*.* 33447 => 54.58.82.235 11568
Tue May 3 09:12:52 2016 TCP 176.*.*.* 33447 => 54.58.82.235 11568
Tue May 3 09:12:44 2016 TCP 176.*.*.* 54853 => 54.58.84.75 53388
Tue May 3 09:12:45 2016 TCP 176.*.*.* 54853 => 54.58.84.75 53388
Tue May 3 09:12:46 2016 TCP 176.*.*.* 55252 => 54.58.84.75 53388
Tue May 3 09:12:47 2016 TCP 176.*.*.* 55252 => 54.58.84.75 53388
Tue May 3 09:12:47 2016 TCP 176.*.*.* 55611 => 54.58.84.75 53388
Tue May 3 09:12:47 2016 TCP 176.*.*.* 54853 => 54.58.84.75 53388
Tue May 3 09:12:48 2016 TCP 176.*.*.* 55611 => 54.58.84.75 53388
Tue May 3 09:12:49 2016 TCP 176.*.*.* 55252 => 54.58.84.75 53388
Tue May 3 09:12:50 2016 TCP 176.*.*.* 55611 => 54.58.84.75 53388
Tue May 3 09:12:53 2016 TCP 176.*.*.* 38268 => 54.58.82.230 987
Tue May 3 09:12:44 2016 TCP 176.*.*.* 60465 => 54.58.86.246 5190
Tue May 3 09:12:47 2016 TCP 176.*.*.* 60465 => 54.58.86.246 5190
Tue May 3 09:12:51 2016 TCP 176.*.*.* 60465 => 54.58.86.246 5190
Tue May 3 09:12:44 2016 TCP 176.*.*.* 54223 => 54.58.79.93 63329
Tue May 3 09:12:45 2016 TCP 176.*.*.* 54223 => 54.58.79.93 63329
Tue May 3 09:12:47 2016 TCP 176.*.*.* 54223 => 54.58.79.93 63329
Tue May 3 09:12:51 2016 TCP 176.*.*.* 54223 => 54.58.79.93 63329
Tue May 3 09:12:53 2016 TCP 176.*.*.* 56080 => 54.58.78.252 769
J'ai mis en place tant bien que mal une règle IPTABLE, ce qui me donne ça :
target prot opt source destination
REJECT all -- 54.58.0.0/16 anywhere reject-with icmp-port-unreachable
DROP all -- anywhere 54.58.0.0/16
Et lorsque je fais un netstat
tcp 0 1 xxx.yyy.:39832 54.58.88.161:57614 SYN_SENT
tcp 0 1 xxx.yyy.:32939 54.58.90.63:7017 SYN_SENT
tcp 0 1 xxx.yyy.:35734 54.58.88.160:1454 SYN_SENT
Je trouve encore des connexions sortantes vers cette plage IP. Là je ne comprends plus rien. Si quelqu'un a une idée, je suis preneur.
Le serveur est installé depuis une semaine, il a clamav, fail2ban, rkhunter, portsentry ... j'ai vérifié et pas trouvé ce qui serait bavard avec cette plage. Il sert à une seedbox (script d'installation de ce forum).
merci de votre aide
