Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2020-07-22 17:47:08
linux
Alexander, 2020-07-22 17:47:08

What is the meaning of abuza?

There is a grandfather at Hetzner.
Abuses of the form periodically come:

24940 | our.ip.shn.to | 2020-07-21 05:46:00 | 100000 4 111/udp; 100000 3 111/udp; 100000 2111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2111/udp; 100005 1 45736/udp; 100005 1 57373/udp; 100005 2 56575/udp; 100005 2 48537/udp; 100005 3 35945/udp; 100005 3 44941/udp; 100003 3 2049/udp; 100003 4 2049/udp; 100227 3 2049/udp; 100003 3 2049/udp; 100227 3 2049/udp; 100021 1 38104/udp; 100021 3 38104/udp; 100021 4 38104/udp; 100021 1 37263/udp; 100021 3 37263/udp; 100021 4 37263/udp;

abuza screen
FNwkkVU.png


Actually, this is the whole content part.
The rest of the email content boils down to "we received an alert from BSI and are forwarding it to you - here it is".

And that's it. What is the problem? What do they want?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
Saboteur, 2020-07-22
Madzhugin @Suntechnic

You have portmapper open outside, port 111 tcp/udp
Indirectly, this is a vulnerability that allows attackers to use it for DDOS attacks.
Usually it is needed for NFS or RPD, but it is extremely rare for someone to do it directly over the Internet. Through the Internet, they often do ssh or already turn on VPN and already rummage inside.
If you do not use such services, just close the portmapper outside.

Report
A
Andrey Gavrilov, 2020-07-22
@thexaver

Hetzner wants everyone to fix it

Report
K
Karpion, 2020-07-22
@Karpion

Deny all traffic at the packet level, except for what you really need.

Report
V
Vladimir, 2020-07-22
@MechanID

Based on the abuse, suspicious traffic was detected - in my biased opinion, this looks like the activity of a botnet member.
Accordingly, you need to find which process on your server generates traffic that the hoster points to, and either this is a botnet process and you need to clean it up and figure out how you were hacked, or explain to the hoster that this is normal activity in your opinion, the explanation should be as detailed as possible.

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
L
LexLoveG2019-12-11 04:38:10
How to edit .sav files? 3Reply
R
Roman2017-08-16 16:14:51
Yes, what's the problem? 4Reply
I
Ilya2015-02-10 23:47:32
ubuntu server vs debian? 5Reply
I
Inter Carpenter2017-02-12 21:58:44
How to stop command output through BASH? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question