Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VPS has outgoing DDoS, please help.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VPS has outgoing DDoS, please help.

fencerfencer Member
edited February 2015 in Help

Hi I have a VPS at VPSDime 24 Gb Ram, 4 CPU etc etc.

yesterday the shutted down my nginx server because of possible Dos, and they say its going from my server not to my server, it showed something like this log (hope you can help me with this):


First 264 lines from conntrack table (truncated)


ipv4 2 tcp 6 358705 ESTABLISHED src=23.227.172.26 dst=190.207.198.39 sport=80 dport=55383 [UNREPLIED] src=190.207.198.39 dst=23.227.172.26 sport=55383 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 345064 ESTABLISHED src=23.227.172.26 dst=201.248.71.123 sport=80 dport=32002 [UNREPLIED] src=201.248.71.123 dst=23.227.172.26 sport=32002 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 291699 ESTABLISHED src=23.227.172.26 dst=190.73.233.59 sport=80 dport=55343 [UNREPLIED] src=190.73.233.59 dst=23.227.172.26 sport=55343 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 85274 ESTABLISHED src=23.227.172.26 dst=190.37.94.99 sport=80 dport=1805 [UNREPLIED] src=190.37.94.99 dst=23.227.172.26 sport=1805 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 430685 ESTABLISHED src=23.227.172.26 dst=190.203.14.58 sport=80 dport=51117 [UNREPLIED] src=190.203.14.58 dst=23.227.172.26 sport=51117 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 210823 ESTABLISHED src=190.205.96.84 dst=23.227.172.26 sport=50223 dport=80 src=23.227.172.26 dst=190.205.96.84 sport=80 dport=50223 mark=0 secmark=0 use=2
ipv4 2 tcp 6 137828 ESTABLISHED src=23.227.172.26 dst=186.92.123.60 sport=80 dport=49301 [UNREPLIED] src=186.92.123.60 dst=23.227.172.26 sport=49301 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 79671 ESTABLISHED src=23.227.172.26 dst=190.196.4.66 sport=80 dport=58629 [UNREPLIED] src=190.196.4.66 dst=23.227.172.26 sport=58629 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 291301 ESTABLISHED src=23.227.172.26 dst=95.211.225.201 sport=80 dport=45511 [UNREPLIED] src=95.211.225.201 dst=23.227.172.26 sport=45511 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 88452 ESTABLISHED src=23.227.172.26 dst=190.207.135.94 sport=80 dport=2804 [UNREPLIED] src=190.207.135.94 dst=23.227.172.26 sport=2804 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 85542 ESTABLISHED src=190.15.170.218 dst=23.227.172.26 sport=21025 dport=80 src=23.227.172.26 dst=190.15.170.218 sport=80 dport=21025 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 289991 ESTABLISHED src=23.227.172.26 dst=190.77.158.142 sport=80 dport=4016 [UNREPLIED] src=190.77.158.142 dst=23.227.172.26 sport=4016 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 183531 ESTABLISHED src=23.227.172.26 dst=190.73.165.72 sport=80 dport=54031 [UNREPLIED] src=190.73.165.72 dst=23.227.172.26 sport=54031 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 431797 ESTABLISHED src=23.227.172.26 dst=190.73.88.227 sport=80 dport=49874 [UNREPLIED] src=190.73.88.227 dst=23.227.172.26 sport=49874 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 274257 ESTABLISHED src=23.227.172.26 dst=190.72.144.101 sport=80 dport=1712 [UNREPLIED] src=190.72.144.101 dst=23.227.172.26 sport=1712 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 98266 ESTABLISHED src=23.227.172.26 dst=190.74.195.47 sport=80 dport=50998 [UNREPLIED] src=190.74.195.47 dst=23.227.172.26 sport=50998 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 94295 ESTABLISHED src=23.227.172.26 dst=190.204.48.164 sport=80 dport=4791 [UNREPLIED] src=190.204.48.164 dst=23.227.172.26 sport=4791 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 343747 ESTABLISHED src=23.227.172.26 dst=190.72.18.81 sport=80 dport=49916 [UNREPLIED] src=190.72.18.81 dst=23.227.172.26 sport=49916 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 424025 ESTABLISHED src=23.227.172.26 dst=190.78.30.226 sport=80 dport=49752 [UNREPLIED] src=190.78.30.226 dst=23.227.172.26 sport=49752 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 395182 ESTABLISHED src=23.227.172.26 dst=190.204.136.40 sport=80 dport=2025 [UNREPLIED] src=190.204.136.40 dst=23.227.172.26 sport=2025 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 344106 ESTABLISHED src=23.227.172.26 dst=190.77.186.209 sport=80 dport=23395 [UNREPLIED] src=190.77.186.209 dst=23.227.172.26 sport=23395 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 92324 ESTABLISHED src=23.227.172.26 dst=190.201.107.180 sport=80 dport=53353 [UNREPLIED] src=190.201.107.180 dst=23.227.172.26 sport=53353 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 125158 ESTABLISHED src=23.227.172.26 dst=190.205.205.194 sport=80 dport=50100 [UNREPLIED] src=190.205.205.194 dst=23.227.172.26 sport=50100 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 431685 ESTABLISHED src=23.227.172.26 dst=200.90.78.145 sport=80 dport=52997 [UNREPLIED] src=200.90.78.145 dst=23.227.172.26 sport=52997 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 381319 ESTABLISHED src=23.227.172.26 dst=201.242.156.110 sport=80 dport=23005 [UNREPLIED] src=201.242.156.110 dst=23.227.172.26 sport=23005 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 172090 ESTABLISHED src=23.227.172.26 dst=190.203.11.39 sport=80 dport=2172 [UNREPLIED] src=190.203.11.39 dst=23.227.172.26 sport=2172 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 164810 ESTABLISHED src=23.227.172.26 dst=186.167.242.80 sport=80 dport=64044 [UNREPLIED] src=186.167.242.80 dst=23.227.172.26 sport=64044 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 328606 ESTABLISHED src=23.227.172.26 dst=190.73.109.240 sport=80 dport=51499 [UNREPLIED] src=190.73.109.240 dst=23.227.172.26 sport=51499 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 365256 ESTABLISHED src=23.227.172.26 dst=74.82.64.160 sport=80 dport=12480 [UNREPLIED] src=74.82.64.160 dst=23.227.172.26 sport=12480 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 335444 ESTABLISHED src=23.227.172.26 dst=190.77.149.16 sport=80 dport=1287 [UNREPLIED] src=190.77.149.16 dst=23.227.172.26 sport=1287 dport=80 mark=0 secmark=0 use=2
ipv4 2 udp 17 13 src=23.227.172.26 dst=8.8.8.8 sport=34132 dport=53 src=8.8.8.8 dst=23.227.172.26 sport=53 dport=34132 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 383836 ESTABLISHED src=23.227.172.26 dst=190.206.139.78 sport=80 dport=4092 [UNREPLIED] src=190.206.139.78 dst=23.227.172.26 sport=4092 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 125115 ESTABLISHED src=23.227.172.26 dst=186.167.242.92 sport=80 dport=35288 [UNREPLIED] src=186.167.242.92 dst=23.227.172.26 sport=35288 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 118 TIME_WAIT src=23.227.172.26 dst=199.96.57.6 sport=54749 dport=80 src=199.96.57.6 dst=23.227.172.26 sport=80 dport=54749 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 348562 ESTABLISHED src=23.227.172.26 dst=150.186.126.20 sport=80 dport=53396 [UNREPLIED] src=150.186.126.20 dst=23.227.172.26 sport=53396 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 347975 ESTABLISHED src=23.227.172.26 dst=181.208.67.76 sport=80 dport=52267 [UNREPLIED] src=181.208.67.76 dst=23.227.172.26 sport=52267 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 106098 ESTABLISHED src=23.227.172.26 dst=181.18.161.120 sport=80 dport=39791 [UNREPLIED] src=181.18.161.120 dst=23.227.172.26 sport=39791 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 95 TIME_WAIT src=190.76.123.246 dst=23.227.172.26 sport=2111 dport=80 src=23.227.172.26 dst=190.76.123.246 sport=80 dport=2111 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 38 TIME_WAIT src=201.209.66.211 dst=23.227.172.26 sport=50455 dport=80 src=23.227.172.26 dst=201.209.66.211 sport=80 dport=50455 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 367307 ESTABLISHED src=23.227.172.26 dst=74.82.64.161 sport=80 dport=29799 [UNREPLIED] src=74.82.64.161 dst=23.227.172.26 sport=29799 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 428880 ESTABLISHED src=23.227.172.26 dst=190.74.78.148 sport=80 dport=3182 [UNREPLIED] src=190.74.78.148 dst=23.227.172.26 sport=3182 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 428592 ESTABLISHED src=23.227.172.26 dst=181.208.123.63 sport=80 dport=60789 [UNREPLIED] src=181.208.123.63 dst=23.227.172.26 sport=60789 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 381478 ESTABLISHED src=23.227.172.26 dst=190.72.176.197 sport=80 dport=63192 [UNREPLIED] src=190.72.176.197 dst=23.227.172.26 sport=63192 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 252538 ESTABLISHED src=23.227.172.26 dst=186.91.102.222 sport=80 dport=61577 [UNREPLIED] src=186.91.102.222 dst=23.227.172.26 sport=61577 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 87676 ESTABLISHED src=23.227.172.26 dst=74.82.68.160 sport=80 dport=28379 [UNREPLIED] src=74.82.68.160 dst=23.227.172.26 sport=28379 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 77 TIME_WAIT src=190.207.58.91 dst=23.227.172.26 sport=49477 dport=80 src=23.227.172.26 dst=190.207.58.91 sport=80 dport=49477 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 83 TIME_WAIT src=190.37.31.212 dst=23.227.172.26 sport=50917 dport=80 src=23.227.172.26 dst=190.37.31.212 sport=80 dport=50917 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 38 TIME_WAIT src=46.229.164.113 dst=23.227.172.26 sport=19712 dport=80 src=23.227.172.26 dst=46.229.164.113 sport=80 dport=19712 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 356490 ESTABLISHED src=23.227.172.26 dst=200.90.100.79 sport=80 dport=50343 [UNREPLIED] src=200.90.100.79 dst=23.227.172.26 sport=50343 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 115 TIME_WAIT src=186.116.215.49 dst=23.227.172.26 sport=38770 dport=80 src=23.227.172.26 dst=186.116.215.49 sport=80 dport=38770 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 113832 ESTABLISHED src=23.227.172.26 dst=190.142.189.147 sport=80 dport=2788 [UNREPLIED] src=190.142.189.147 dst=23.227.172.26 sport=2788 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 351360 ESTABLISHED src=23.227.172.26 dst=190.200.244.230 sport=80 dport=49853 [UNREPLIED] src=190.200.244.230 dst=23.227.172.26 sport=49853 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 346019 ESTABLISHED src=23.227.172.26 dst=190.142.99.36 sport=80 dport=1292 [UNREPLIED] src=190.142.99.36 dst=23.227.172.26 sport=1292 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 189830 ESTABLISHED src=23.227.172.26 dst=190.205.230.169 sport=80 dport=49311 [UNREPLIED] src=190.205.230.169 dst=23.227.172.26 sport=49311 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 282127 ESTABLISHED src=23.227.172.26 dst=74.82.68.145 sport=80 dport=35002 [UNREPLIED] src=74.82.68.145 dst=23.227.172.26 sport=35002 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 184175 ESTABLISHED src=181.183.95.88 dst=23.227.172.26 sport=51711 dport=80 src=23.227.172.26 dst=181.183.95.88 sport=80 dport=51711 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 349977 ESTABLISHED src=23.227.172.26 dst=186.88.235.183 sport=80 dport=4639 [UNREPLIED] src=186.88.235.183 dst=23.227.172.26 sport=4639 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 291991 ESTABLISHED src=23.227.172.26 dst=190.205.208.248 sport=80 dport=51769 [UNREPLIED] src=190.205.208.248 dst=23.227.172.26 sport=51769 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 205874 ESTABLISHED src=23.227.172.26 dst=201.242.54.110 sport=80 dport=49211 [UNREPLIED] src=201.242.54.110 dst=23.227.172.26 sport=49211 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 172233 ESTABLISHED src=23.227.172.26 dst=190.39.63.124 sport=80 dport=2397 [UNREPLIED] src=190.39.63.124 dst=23.227.172.26 sport=2397 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 127520 ESTABLISHED src=23.227.172.26 dst=201.209.44.165 sport=80 dport=49351 [UNREPLIED] src=201.209.44.165 dst=23.227.172.26 sport=49351 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 137941 ESTABLISHED src=23.227.172.26 dst=190.200.54.123 sport=80 dport=45582 [UNREPLIED] src=190.200.54.123 dst=23.227.172.26 sport=45582 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 351560 ESTABLISHED src=23.227.172.26 dst=201.209.0.103 sport=80 dport=62127 [UNREPLIED] src=201.209.0.103 dst=23.227.172.26 sport=62127 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 213199 ESTABLISHED src=23.227.172.26 dst=74.82.64.144 sport=80 dport=52582 [UNREPLIED] src=74.82.64.144 dst=23.227.172.26 sport=52582 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 130241 ESTABLISHED src=23.227.172.26 dst=186.90.178.19 sport=80 dport=54396 [UNREPLIED] src=186.90.178.19 dst=23.227.172.26 sport=54396 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 276123 ESTABLISHED src=23.227.172.26 dst=190.38.26.120 sport=80 dport=4149 [UNREPLIED] src=190.38.26.120 dst=23.227.172.26 sport=4149 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 412721 ESTABLISHED src=23.227.172.26 dst=186.91.103.233 sport=80 dport=51293 [UNREPLIED] src=186.91.103.233 dst=23.227.172.26 sport=51293 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 137723 ESTABLISHED src=23.227.172.26 dst=199.30.22.61 sport=80 dport=64254 [UNREPLIED] src=199.30.22.61 dst=23.227.172.26 sport=64254 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 134986 ESTABLISHED src=23.227.172.26 dst=74.82.64.160 sport=80 dport=14556 [UNREPLIED] src=74.82.64.160 dst=23.227.172.26 sport=14556 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 124572 ESTABLISHED src=23.227.172.26 dst=190.75.166.10 sport=80 dport=55972 [UNREPLIED] src=190.75.166.10 dst=23.227.172.26 sport=55972 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 35 TIME_WAIT src=190.39.227.252 dst=23.227.172.26 sport=61768 dport=80 src=23.227.172.26 dst=190.39.227.252 sport=80 dport=61768 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 352214 ESTABLISHED src=190.15.170.218 dst=23.227.172.26 sport=18402 dport=80 src=23.227.172.26 dst=190.15.170.218 sport=80 dport=18402 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 347796 ESTABLISHED src=23.227.172.26 dst=190.153.0.169 sport=80 dport=27391 [UNREPLIED] src=190.153.0.169 dst=23.227.172.26 sport=27391 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 105393 ESTABLISHED src=23.227.172.26 dst=190.198.149.4 sport=80 dport=49507 [UNREPLIED] src=190.198.149.4 dst=23.227.172.26 sport=49507 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 16 CLOSE_WAIT src=186.90.198.56 dst=23.227.172.26 sport=57083 dport=80 src=23.227.172.26 dst=186.90.198.56 sport=80 dport=57083 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 248032 ESTABLISHED src=23.227.172.26 dst=190.205.1.13 sport=80 dport=62257 [UNREPLIED] src=190.205.1.13 dst=23.227.172.26 sport=62257 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 209672 ESTABLISHED src=23.227.172.26 dst=186.167.242.83 sport=80 dport=21677 [UNREPLIED] src=186.167.242.83 dst=23.227.172.26 sport=21677 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 103 TIME_WAIT src=181.208.49.51 dst=23.227.172.26 sport=42405 dport=80 src=23.227.172.26 dst=181.208.49.51 sport=80 dport=42405 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 299 ESTABLISHED src=201.243.35.168 dst=23.227.172.26 sport=18120 dport=80 src=23.227.172.26 dst=201.243.35.168 sport=80 dport=18120 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 218923 ESTABLISHED src=23.227.172.26 dst=190.78.48.139 sport=80 dport=2314 [UNREPLIED] src=190.78.48.139 dst=23.227.172.26 sport=2314 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 373267 ESTABLISHED src=23.227.172.26 dst=190.79.132.7 sport=80 dport=36670 [UNREPLIED] src=190.79.132.7 dst=23.227.172.26 sport=36670 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 174986 ESTABLISHED src=23.227.172.26 dst=190.75.173.121 sport=80 dport=49948 [UNREPLIED] src=190.75.173.121 dst=23.227.172.26 sport=49948 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 384239 ESTABLISHED src=23.227.172.26 dst=186.94.80.112 sport=80 dport=58818 [UNREPLIED] src=186.94.80.112 dst=23.227.172.26 sport=58818 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 365471 ESTABLISHED src=23.227.172.26 dst=186.167.242.37 sport=80 dport=30336 [UNREPLIED] src=186.167.242.37 dst=23.227.172.26 sport=30336 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 388317 ESTABLISHED src=23.227.172.26 dst=190.203.214.215 sport=80 dport=2570 [UNREPLIED] src=190.203.214.215 dst=23.227.172.26 sport=2570 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 365520 ESTABLISHED src=23.227.172.26 dst=200.109.37.199 sport=80 dport=51123 [UNREPLIED] src=200.109.37.199 dst=23.227.172.26 sport=51123 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 267268 ESTABLISHED src=23.227.172.26 dst=186.91.33.81 sport=80 dport=49310 [UNREPLIED] src=186.91.33.81 dst=23.227.172.26 sport=49310 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 384677 ESTABLISHED src=23.227.172.26 dst=186.167.243.221 sport=80 dport=20712 [UNREPLIED] src=186.167.243.221 dst=23.227.172.26 sport=20712 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 353490 ESTABLISHED src=23.227.172.26 dst=190.200.162.238 sport=80 dport=51521 [UNREPLIED] src=190.200.162.238 dst=23.227.172.26 sport=51521 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 20 TIME_WAIT src=186.95.209.247 dst=23.227.172.26 sport=2835 dport=80 src=23.227.172.26 dst=186.95.209.247 sport=80 dport=2835 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 356598 ESTABLISHED src=23.227.172.26 dst=74.82.64.145 sport=80 dport=25491 [UNREPLIED] src=74.82.64.145 dst=23.227.172.26 sport=25491 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 122291 ESTABLISHED src=23.227.172.26 dst=186.91.196.42 sport=80 dport=62191 [UNREPLIED] src=186.91.196.42 dst=23.227.172.26 sport=62191 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 109857 ESTABLISHED src=23.227.172.26 dst=190.207.225.96 sport=80 dport=46353 [UNREPLIED] src=190.207.225.96 dst=23.227.172.26 sport=46353 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 91861 ESTABLISHED src=23.227.172.26 dst=190.201.107.180 sport=80 dport=53174 [UNREPLIED] src=190.201.107.180 dst=23.227.172.26 sport=53174 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 333542 ESTABLISHED src=23.227.172.26 dst=186.167.243.91 sport=80 dport=15859 [UNREPLIED] src=186.167.243.91 dst=23.227.172.26 sport=15859 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 106804 ESTABLISHED src=23.227.172.26 dst=190.202.82.99 sport=80 dport=30008 [UNREPLIED] src=190.202.82.99 dst=23.227.172.26 sport=30008 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 106303 ESTABLISHED src=23.227.172.26 dst=190.78.222.221 sport=80 dport=2193 [UNREPLIED] src=190.78.222.221 dst=23.227.172.26 sport=2193 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 386763 ESTABLISHED src=23.227.172.26 dst=201.243.114.162 sport=80 dport=51418 [UNREPLIED] src=201.243.114.162 dst=23.227.172.26 sport=51418 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 292965 ESTABLISHED src=23.227.172.26 dst=186.94.50.242 sport=80 dport=57678 [UNREPLIED] src=186.94.50.242 dst=23.227.172.26 sport=57678 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 187450 ESTABLISHED src=23.227.172.26 dst=190.74.203.235 sport=80 dport=1113 [UNREPLIED] src=190.74.203.235 dst=23.227.172.26 sport=1113 dport=80 mark=0 secmark=0 use=2
ipv4 2 tcp 6 0 TIME_WAIT src=190.217.1.11 dst=23.227.172.26 sport=28587 dport=80 src=23.227.172.26 dst=190.217.1.11 sport=80 dport=28587 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 206510 ESTABLISHED src=23.227.172.26 dst=186.92.220.21 sport=80 dport=59515 [UNREPLIED] src=186.92.220.21 dst=23.227.172.26 sport=59515 dport=80 mark=0 secmark=0 use=2

ipv4 2 tcp 6 92757 ESTABLISHED src=23.227.172.26 dst=186.88.90.77 sport=80 dport=52631 [UNREPLIED] AND GOES ON and on and on...

can somebody help me

Comments

  • KuJoeKuJoe Member, Host Rep

    Which IP is your VPS's IP?

  • 23.227.172.26 I guess.

    What kind of help is expected?

    And btw: "this issue" in the subject isn't the smartest way to attract help.

  • Really the question what kind of help you expect.

    It's a job for sysadmin. Just need to find a source of this and clean. Most probably your VPS was hacked.

    Thanked by 2black dgprasetya
  • 24GB RAM VPS?

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    You can install Linux Malware Detect & Scan whole VPS !

  • Ask them for a process dump as this looks like a nodewatch report.

  • reformat and start again

  • @Mark_R said:
    reformat and start again

    Yep when in doubt rebuild the VHS.

  • First of all, change your users password, close all ports and only allow port 22.

    If possible change from password to key authentication.

  • After that check you web app what the hell is doing an dif something is not normal with it.

    finally ask for a change of IP to your provider.

    Thats all.

  • @martip07 Why ask for a different IP if it's an outbound DoS ?

  • A while back on my old VPS this happened to me - sent out about 2TB of DoS to some poor person. I decided to best way to clean it was to reinstall the OS.

  • xaitmixaitmi Member
    edited February 2015

    @Mitchfizz05 said:
    A while back on my old VPS this happened to me - sent out about 2TB of DoS to some poor person. I decided to best way to clean it was to reinstall the OS.

    This.

    I've seen a few of my clients get infected over the last 2 years. The backdoors/malicious scripts are usually located in the /boot folder.

    Best way to deal with this is to backup your files and reinstall the OS.

    9/10 times its usually IptabLes malware.

    OP take a look at this thread I found http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex

    Thanked by 1vpsGOD
  • Just reformat and start over, there is absolutely no way I would feel safe using a vps that I know had been hacked/had outgoing ddos from even if I thought I found the source.

    Thanked by 1Maounique
  • I wonder what did the OP do to get infected?

  • MaouniqueMaounique Host Rep, Veteran

    @Chuck said:
    I wonder what did the OP do to get infected?

    Or didn't do. Usually this is the result of not patching it in time for known exploits (i.e. not updating it).

    lazyt said: Yep when in doubt rebuild the VHS.

    You will probably not find replacement part for such old technologies.

    Thanked by 1Chuck
  • lsof . Usefull command to find process.

  • First, disable your VPS NIC, then use VNC to clean the malicious files or reinstall your VPS

  • @Umcookies said:
    martip07 Why ask for a different IP if it's an outbound DoS ?

    Maybe because someone got in my VPS? So if I wanna stop it I must change it because it may attract more people to my VPS and teh story will never end.

    Also for security is better in some way.

  • Let me guess. You were sending out traffic over Port 80 from your IP of: 23.227.172.26 going to the DoS Target of : 186.88.90.77 port 52631.

    If this is a linux box you can run iptraf or iftop to bring up a nice system level gui to view your traffic being sent out. This link shows you how to install (free of course) and run the utility:
    http://unix.stackexchange.com/questions/71456/check-outgoing-network-traffic

    From there you can track down the process (top will show you what's the biggest running process) and then use lsof to track down the file that is running to show what is going on.

    This is a very crude way of finding the information but you will learn quite a bit along the way. top is your friend for finding high intensive cpu process' and lsof will show you what files are open and running currently. Those 2 commands alone will help you out heavily.

    Best recommendation is like others have said: If there isn't crap on the box you need, copy off your files, blow the VPS away, and start over.

    Thanked by 1Blanoz
  • martip07martip07 Member
    edited February 2015

    I bet is a problem with his app (some security hole), so at the end if the app is th eproblem it will happen again.

  • FatboyFatboy Member
    edited February 2015

    I have a question - I see a lot of people recommending a full reinstall of the VPS, which of course is a good thing, but what happens if the exploit is in say the home directory of a cPanel user?

    The guy will backup all his stuff, nuke the VPS from space, reimage and then restore backups with the exploit possibly still in there......round and round and round we go.

  • MaouniqueMaounique Host Rep, Veteran

    Not really, the reinstall is just to make sure after all other measures have been taken, including searching for exploits and modified files int he site's script if has something like this, there are many tools for this.
    However, all tools are specific, few search for everything and can still miss something, like a manually crafted backdoor some place. Therefore, a reinstall is to make sure, the last step, not the only step.

  • Mark_RMark_R Member
    edited February 2015

    @Fatboy said:
    I have a question - I see a lot of people recommending a full reinstall of the VPS, which of course is a good thing, but what happens if the exploit is in say the home directory of a cPanel user?

    The guy will backup all his stuff, nuke the VPS from space, reimage and then restore backups with the exploit possibly still in there......round and round and round we go.

    If your security got breached without you knowing then you already failed and cannot know what might be already affected in your current server envoirement, in such case you definitly have to start over clean and add better security systems to prevent it from happening again.. if it still keeps happening then you probably shouldnt manage the server yourself but, if you decide to go through with it then i recommend installing proxmox and virtualizing your server envoirements to isolate future problems and to have the ability to restore snapshots.

  • @Maounique @Mark_R : I was only playing devils advocate :) However, your answers will be handy for anyone who stumbles across the thread - just another thing for them to think of before hitting that VPS nuke button :)

  • Lol that was supposed to be VPS auto correct strikes again.

    Have I mentioned how much I hate auto correct?

Sign In or Register to comment.