Can someone explain this? [ Probably DDoS ] [HELP!]

Sherlock

@MarkTurner said:
I meant 198.143.139.251

As you have serial access - can you send the output of:

ps -auxf

and as cncking2000 said netstat -lnp

Can't do it.. As soon as i enter the password, the serial console closes...

Sherlock

@cncking2000 said:
Is 198.143.139.251 possibly the node IP? I can see why the provider suspended you if your machine is going after the node itself. I am getting server.cssglobal.net from this end, as being associated to that IP.

Maybe.. Still, the idea i suggested above may work. Or atleast he may give me backup of var/lib/mysql

MarkTurner

@Sherlock - just ask for a tarball of your server and move on.

I am not sure what you are paying per month for this service but the log does not show a denial of service attack. Maybe this is just a snippet, but the few lines you have shown don't look nefarious.

TACServers

I have to agree with @MarkTurner, the logs look like your server talking to itself. Cpanel servers love to do that, however, I am aware that you are not using CPanel. If you really want to push the issue, ask where remote connections are being shown in their logs, and see if you can't get a clearer picture of what is going on. I can't see how you are opening 60K+ connections with the logs provided.

MarkTurner

@Sherlock said:
Can't do it.. As soon as i enter the password, the serial console closes...

Sounds like the VPS is actually suspended not the IP blackholed.

Sherlock

@cncking2000 said:
I have to agree with MarkTurner, the logs look like your server talking to itself. Cpanel servers love to do that, however, I am aware that you are not using CPanel. If you really want to push the issue, ask where remote connections are being shown in their logs, and see if you can't get a clearer picture of what is going on. I can't see how you are opening 60K+ connections with the logs provided.

One more point, forgot to mention. I checked traffic log in solisvm, just before the server went down, incoming traffic increased from 400k to 1.4 mb or something.. There was a very tall bar, cant provide screenshot atm... But still vmbox did very little at their part and 19 hrs ago when they suspended my server, they didn't even email me about it

MarkTurner

Assuming that is 1.4Mbps - thats definitely not a DDOS even if the packets are minimum sized.

ErawanArifNugroho

Port 8000, isn't for Icecast or something? Maybe someone make a wrong setting in their streaming?

TheRedFox

said: Fri, 18 Jul 2014 18:54:27 -0400 VPS 2105 (xx.xx.xx.xx) has 30021 conntrack sessions Fri, 18 Jul 2014 18:54:47 -0400 VPS 2105 (xx.xx.xx.xx) has 30082 conntrack sessions Fri, 18 Jul 2014 18:54:57 -0400 VPS 2105 (xx.xx.xx.xx) has 30006 conntrack sessions Fri, 18 Jul 2014 18:55:04 -0400 VPS 2105 (xx.xx.xx.xx) has 30058 conntrack sessions Fri, 18 Jul 2014 18:55:15 -0400 VPS 2105 (xx.xx.xx.xx) has 30054 conntrack sessions Fri, 18 Jul 2014 19:26:36 -0400 VPS 2105 (xx.xx.xx.xx) has 46433 conntrack sessions Fri, 18 Jul 2014 19:26:52 -0400 VPS 2105 (xx.xx.xx.xx) has 61441 conntrack sessions Fri, 18 Jul 2014 19:27:04 -0400 SUSPENDING VPS 2105 (xx.xx.xx.xx); it has 61441 conntrack sessions Fri, 18 Jul 2014 19:27:13 -0400 VPS 2105 (xx.xx.xx.xx) has 49318 conntrack sessions

This is a pretty important quote, looks he is suspended for conntrack

lazyt

"SUSPENDING VPS 2105 (xx.xx.xx.xx); it has 61441 conntrack sessions Fri, 18 Jul 2014"

Last comment in what TheRedFox quoted.

MarkTurner

But what is conntrack tracking? Is it tracking internal connection or external connections? By the look of the rest of it the connections are local

Sherlock

can any of you tell me how do I get a tar backup of the server from that maniac at vmbox? I have been telling him to send me backups from last 17 hours! There support is the worst in the world, another one man show!

FirstVM_com

oh my