NetscanOutLevel from my server - Windows server

afn

Hi

I got an email from our provider telling us they detected a netscanout attack from one of my servers.

A text log of destination IP addresses is provided.

Back when I was still using windows server 2008 (couple years ago), this would happen within a couple of minutes after the installation because of vulnerabilities in Windows 2008.

But this is not my case, I am using windows server 2022.

I can think of 3 scenarios:

• A (non-admin) user with a weak password got compromised
• Some tool/software is infected
• A vulnerability in Windows like the one in windows 2008?

Does anyone have suggestions to rule out the possibilities and find out how this happened? How can I be sure which app/user account may have been behind this, does windows keep logs of such things?

Thanks

xrz

hetzner? :P

afn

@xrz said: hetzner? :P

xrz

Oops, we own like 100+ honeypot servers and reporting everything what we could we hate hetzner, but we also hate abuse

hetzner mails:

tentor

@xrz said:
Oops, we own like 100+ honeypot servers and reporting everything what we could we hate hetzner, but we also hate abuse

hetzner mails:

What are your reasons why you hate them? Abuse acknowledgement is a good practice IMO.

xrz

@tentor said: What are your reasons why you hate them?

lie/lied/will lie about unlimited bandwidth

Calin

@xrz said: lie/lied/will lie about unlimited bandwidth

>
From how many TB of traffic have you started to have problems with them?

afn

@Calin said: From how many TB of traffic have you started to have problems with them?

There was a thread about it.

200+ Will surely get you in trouble and support will start treating you like shit for a while and ban you from ordering new servers.

U stop using the server, a couple of months later they will lift the ban.

afn

More information in case anyone can help because this is driving me crazy...

• I checked the access log, all rdp entries are from known IPs/IP ranges of the few other users accessing this particular server. So 99% sure account credentials are not compromised.

I got few more abuse reports from them, and checked a bit more

Most outgoing traffic is going out via port 59300, which is used by SCVhost (netSvcs).exe
Most of these "scans" go to weird destination servers on port 3544.
The weird destinations include IPs belonging to IBM, KFC and other random things.
Even weirder: Some of these are going to private IPs... and I am not even able to locate what suddenly triggered this on my server after years of normal use.

@xrz how do you generally deal with their abuse messages since you're getting a lot of them apparently... Thanks

treesmokah

have you gotten a ddos attack recently?
may be amplification/spoofing.

very known "method" to get victim's server suspended, happened a million times on Hetz already.

afn

@treesmokah said: have you gotten a ddos attack recently?

Nope, never...

Also, to my understanding, the abuse notice I receive comes from hetzner's internal monitoring, not because someone submitted a complaint, so I think it really originates from my server...?

If your doubts are correct about spoofing, what would be the best course of action to prove it? how would monitor locally every single network event that happens...?

Thanks

treesmokah

@afn said: the abuse notice I receive comes from hetzner's internal monitoring, not because someone submitted a complaint

This should eliminate the possibility of spoofing unless their monitoring systems are extremely fucking bad.

@afn said: If your doubts are correct about spoofing, what would be the best course of action to prove it? how would monitor locally every single network event that happens...?

Saving all traffic or dumping packets out of ordinary.
A DDoS-notification(which many providers send) could include tcpdump from an attack.

xrz

@afn said: @xrz how do you generally deal with their abuse messages since you're getting a lot of them apparently... Thanks

i dont own anymore hetzner garbage servers the mails are the mails that are send to hetzner due to hetzner IPs connecting to our honeypots

afn

I just thought I would let people know for future readers,

Apparently got crazy (actually they always have been) and suddenly decided Teredo is a sin.

https://learn.microsoft.com/en-us/windows/win32/teredo/portal

Teredo has always been active, and it uses UDP port 3544 on destination.

So the simplest solution is to disable teredo and/or block all outgoing traffic in windows firewall to UDP port 3544 and if you need IPv6, use your native IPv6.

Hetzner has been contacted several times to explain the sudden change, ofc, as expected from them, they never replied.

tl;dr: if you can financially afford to not use Hetzner, do not, if budget is tight, proceed with caution, know what you are dealing with and keep a backup.

kasodk

@afn said:
I just thought I would let people know for future readers,

Apparently got crazy (actually they always have been) and suddenly decided Teredo is a sin.

https://learn.microsoft.com/en-us/windows/win32/teredo/portal

Teredo has always been active, and it uses UDP port 3544 on destination.

So the simplest solution is to disable teredo and/or block all outgoing traffic in windows firewall to UDP port 3544 and if you need IPv6, use your native IPv6.

Hetzner has been contacted several times to explain the sudden change, ofc, as expected from them, they never replied.

tl;dr: if you can financially afford to not use Hetzner, do not, if budget is tight, proceed with caution, know what you are dealing with and keep a backup.

Teredo can relatively easily be abused for DDoS attacks if it's not secured on the servers.

It's your job to secure the server, so I can't see why Hetzner should be blamed for this.

afn

@kasodk said: Teredo can relatively easily be abused for DDoS attacks if it's not secured on the servers.

How so? Do you mind explaining a bit more? given that the server's config has not changed.