All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hertzner - Portscan - Serverlocked
Hello all.
So a few hours ago Hertzner emailed me to say they detected a portscan running on my dedi and sent me this:
`##########################################################################
Netscan detected from host 5.9.abc.34
#
time protocol src_ip src_port dest_ip dest_port
Thu Oct 29 11:27:17 2015 TCP 5.9.abc.34 65369 => 128.199.0.0 3389
lines removed here
Thu Oct 29 11:27:17 2015 TCP 5.9.abc.34 65392 => 128.199.0.99 3389
`
It goes on through the 1st 100 ips it seems.
Before I had a chance to look again, they locked my server.
I managed to get back on and ran chkrootkit, it found nothing, i ran lsof -i :3389 every second for an hour, it found nothing.
I've managed to convince them to unlock so I'm back on, but I still can figure what could cause this.
The box basically hosts 5 VM's for me an a friend (KVM), the VMs are on a totally different ip range dedicated per VM. Is there any was this traffic could be coming from a VM but still be showing as the host box IP ?
Any other tips / commands I could put on there to help track this down ?
The box currently doesnt run a firewall, but i've locked it down as much as basically possibly (SSH is no root login, no password login so only via my PC's key), I dont even know the root password actually.
Thanks
NikC
Comments
I've heard similar stories where providers suspended vms/dedicated servers for assumed port scanning when in fact it wasn't. Sometimes it was a multi-threaded application.
This doesn't help, but is there a multi-threaded app running on the server/vms?