Why is the server attacking port 80?

Z

Z0nd0R2013-12-05 09:33:50

linux

Z0nd0R, 2013-12-05 09:33:50

Good day!
Received a "letter of happiness" from Hetzner.
In short, a letter stating that an attack is underway from my server. The server sent requests to port 80 on two subnets, at least in the log fragment that was sent.

----- attachment -----

##########################################################################
#               Netscan detected from host   xxx.xxx.xxx.xxx               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Wed Dec  4 21:22:24 2013 TCP   xxx.xxx.xxx.xxx 8835  =>  yyy.yyy.yyy.yyy 80
Wed Dec  4 21:22:49 2013 TCP   xxx.xxx.xxx.xxx 28726 =>  yyy.yyy.yyy.yyy 80
Wed Dec  4 21:22:07 2013 TCP   xxx.xxx.xxx.xxx 15211 =>  yyy.yyy.yyy.yyy 80
Wed Dec  4 21:23:27 2013 TCP   xxx.xxx.xxx.xxx 34591 =>  yyy.yyy.yyy.yyy 80
Wed Dec  4 21:23:27 2013 TCP   xxx.xxx.xxx.xxx 34591 =>  yyy.yyy.yyy.yyy 80

Never had to deal with this before. Tell me the diagnostic options or can anyone come across this, if there are any solutions?
About two or three weeks ago I did a software update on the server.
Z.Y. Put Rkhunter, passed, there was nothing suspicious, sort of.
Z.Y.S. Axis: CentOS 6.5, Server hosted by Hetzner, atomic repository connected.
Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

P

pomeo, 2013-12-05
@pomeo

They call an attack not what you think, I had a case

Hello!
Unfortunately, we are forced to inform you that a complaint has been received on your xxxx server from the Datacenter for an attack on external resources.
Please let us know when your admins are there and able to isolate the issue.
You can also use the help of our administrators (in this case, for the most efficient solution, immediately provide the root password to the server right in this ticket).
Please note that if there is no response to the complaint for more than 3 hours, your server will be blocked in order to avoid blocking the network by the Datacenter. If you fixed the problem yourself, be sure to notify us by replying to this ticket.
You can find the details of the complaint below.
Direction OUT
Internal xxxx
Threshold Packets 30.000 packets/s
Sum 9.656.000 packets/300s (32.186 packets/s), 11 flows/300s (0 flows/s), 13.462 GByte/300s (367 MBit/s)

Only there was no attack, and the key here is "Threshold Packets 30.000 packets / s" and my "32.186 packets / s", the network bar was simply exceeded and that's it, no attack.

B

bmkobzar, 2013-12-05
@bmkobzar

obviously your server has websites, an ftp server, or some open port or ssh system user with a simple password.
options can be very different.
if some user has a weak password, then bots from all over the world could pick up and put something into execution.
as a protection, you can put "denyhost" - I have hundreds of IPs in a day in the ban go.
if there is some open port for communication - configure iptables or a firewall.
from the console of the left computer, do "nmap xxx.xxx.xxx.xxx", where xxx.xxx.xxx.xxx is the ip of your server. will help to identify an extra looking port to the world
if there is a fpt in the north - check from the logs what someone put on the eve of the "letter of happiness"
if there are client sites on open source cms - check them, it often happens that some vp or opencart is broken and malware is poured through them.
then you can check the crontabs of all users for suspicious stuff.
or put clamscan or maldet and check everything for everything.

T

throughtheether, 2013-12-05
@throughtheether

I consider it unconstructive to believe each automatically generated letter in the absence of other data (traffic dumps, etc.).
In case this letter was originally created by the owner of the address yyy.yyy.yyy.yyy, and only forwarded to you automatically, the following option is possible.
This may be a consequence of a SYN flood on socket yyy.yyy.yyy.yyy:80 with spoofing (substitution) of source addresses. So it could coincide that your address was used. To better understand the situation, you can ask the Hetzner administration to analyze the flow data (netflow, sflow, depending on what they collect) in order to clarify:
a) whether tcp traffic from your server (xxx.xxx.xxx.xxx) was observed at the specified time to attacked (yyy.yyy.yyy.yyy:80)
b) whether tcp traffic from yyy.yyy.yyy.yyy:80 to xxx.xxx.xxx.xxx was observed at the specified time.
If b is true), then most likely the attack took place and the attacked server responded with SYN-ACK to your (or not your) SYN (this is one of the possibilities). If at the same time a) is incorrect, there was a substitution of the source address, you have nothing to do with it. If a) is true, then the problem is either on your server or on the Hetzner network (i.e. their other client forged source addresses, this is possible under certain conditions).

V

Vlad Zhivotnev, 2013-12-05
@inkvizitor68sl

Check that no suspicious processes are running. Most likely, you were broken (or one of your accounts) and a script was uploaded there that does all this. At the same time, the script may well be a regular php script, so you can look at the access logs for access to unknown URLs with the code 200.