We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Server hacked disaster


ercapitan
16/05/2016, 22h40
Citation Envoyé par nowwhat
What is exactly the mail you received from KS ?
An email in spanish that we have a DDOS attack i think is a DNS Attack
Attack detail : 27Kpps/6Mbps dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2016.05.16 18:44:23 CEST 91.121.82.133:36874 149.202.225.81:53 UDP --- 29 ATTACKNS
2016.05.16 18:44:23 CEST 91.121.82.133:36874 149.202.225.81:53 UDP --- 29 ATTACKNS

You really have clients on a KS
Yes is an error

nowwhat
16/05/2016, 22h32
What is exactly the mail you received from KS ?
You really have clients on a KS

ercapitan
16/05/2016, 22h14
You managed to have rescue access ?
Hello I can't manage rescue access. OVH stop it.

I understand that a simple program in perl or PHP is running in my S.O. but OVH stop my server and all my customer.
Citation Envoyé par nowwhat
You managed to have rescue access ?
You mounted your partitions ?
So your (example) "messages" log is here /mnt/var/log/messages.log, right ?

Understand that if rkhunter can't find anything suspect then all you know is that ..... rkhunter couldn't find anything suspect.
This doesn't means your server isn't contaminated.

It could be (just an example) a small perl script that ddos attacks other servers.
This small script doesn't log - so no need to look into your log file : Its wasn't logging. Anyway, these kind of scripts will NEVER log - why should they give you the ability so you can detect them ? They won't, and that's logic.

These scripts are often upload by badly written PHP code (a very badly written plugin for a CMS is nearly always involved), so they ware uploaded by the web server. This upload will be visible in the web servers log files (apache, etc).

fail2ban blocks incoming connections upon YOUR rules.
I guess you didn't include a rule for outgoing connections - neither do you have a log for this.
fail2ban is used for other type of protection, not for blocking a 'hack program' that's running on your server.

nowwhat
16/05/2016, 21h02
Citation Envoyé par ercapitan
This is my log/var/log/secure - no activity at 18:44
This is my log/var/log/maillog - normal users my customers
This is my log/var/log/messages - i can't find anormal logs
failban.log - Normal

You can see my /var/log/rkhunter.log

[03:21:13] Rootkit checks...
[03:21:13] Rootkits checked : 378
[03:21:13] Possible rootkits: 0
You managed to have rescue access ?
You mounted your partitions ?
So your (example) "messages" log is here /mnt/var/log/messages.log, right ?

Understand that if rkhunter can't find anything suspect then all you know is that ..... rkhunter couldn't find anything suspect.
This doesn't means your server isn't contaminated.

It could be (just an example) a small perl script that ddos attacks other servers.
This small script doesn't log - so no need to look into your log file : Its wasn't logging. Anyway, these kind of scripts will NEVER log - why should they give you the ability so you can detect them ? They won't, and that's logic.

These scripts are often upload by badly written PHP code (a very badly written plugin for a CMS is nearly always involved), so they ware uploaded by the web server. This upload will be visible in the web servers log files (apache, etc).

fail2ban blocks incoming connections upon YOUR rules.
I guess you didn't include a rule for outgoing connections - neither do you have a log for this.
fail2ban is used for other type of protection, not for blocking a 'hack program' that's running on your server.

ercapitan
16/05/2016, 20h35
This is my log/var/log/secure - no activity at 18:44
This is my log/var/log/maillog - normal users my customers
This is my log/var/log/messages - i can't find anormal logs
failban.log - Normal

You can see my /var/log/rkhunter.log

[03:21:13] Rootkit checks...
[03:21:13] Rootkits checked : 378
[03:21:13] Possible rootkits: 0

Citation Envoyé par ercapitan
we have install a new server this sunday because OVH said that we have a hack attack, we have installed a lot of applications fail2ban, modsecurity, ddos-deflate.... I want to lost all my customers

Mi server is ns319905.ip-91-121-82.eu please please open the server in mode rescue. I can't find whats is the problem.

ercapitan
16/05/2016, 20h13
we have install a new server this sunday because OVH said that we have a hack attack, we have installed a lot of applications fail2ban, modsecurity, ddos-deflate.... I want to lost all my customers

Mi server is ns319905.ip-91-121-82.eu please please open the server in mode rescue. I can't find whats is the problem.