Abuse über meinen Server?

Nimu · May 8, 2007

Hallo Liebe Forumleute ich hab grade eine Email von meinem Hoster bekommen und weiss nicht so recht was ich damit anfangen soll...

--------------------------------------------
Sehr geehrter Kunde,

ihr Server ist durch unser Abuseteam aufgefallen. Wir haben entsprechende Emails bekommen. Bitte sorgen Sie dafür dass das Problem binnen 6 Stunden behoben wird, da wir sonst den Server kostenpflichtig sperren müssen.

Anbei mehr Infos:
--------------------------------------------

Code:

Vodafone IDS sensors are set via NTP to Time Zone: GMT=UTC+0



Date: 2007/05/08 (YYYY/MM/DD)

partial tcpdump output for scan from echo851.server4you.de





2007-05-08 02:28:41.341624 IP 85.25.140.98.111 > 194.62.232.2.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.342270 IP 85.25.140.98.111 > 194.62.232.11.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.342792 IP 85.25.140.98.111 > 194.62.232.10.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.343856 IP 85.25.140.98.111 > 194.62.232.22.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.344432 IP 85.25.140.98.111 > 194.62.232.25.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.344957 IP 85.25.140.98.111 > 194.62.232.20.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.345532 IP 85.25.140.98.111 > 194.62.232.31.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.346190 IP 85.25.140.98.111 > 194.62.232.26.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.346556 IP 85.25.140.98.111 > 194.62.232.28.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.347340 IP 85.25.140.98.111 > 194.62.232.33.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.347965 IP 85.25.140.98.111 > 194.62.232.34.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.352270 IP 85.25.140.98.111 > 194.62.232.43.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.352872 IP 85.25.140.98.111 > 194.62.232.52.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.353547 IP 85.25.140.98.111 > 194.62.232.50.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.354793 IP 85.25.140.98.111 > 194.62.232.53.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.355046 IP 85.25.140.98.111 > 194.62.232.65.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.355710 IP 85.25.140.98.111 > 194.62.232.66.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.357894 IP 85.25.140.98.111 > 194.62.232.67.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.358396 IP 85.25.140.98.111 > 194.62.232.68.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.358886 IP 85.25.140.98.111 > 194.62.232.69.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.359420 IP 85.25.140.98.111 > 194.62.232.73.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.359973 IP 85.25.140.98.111 > 194.62.232.71.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.360496 IP 85.25.140.98.111 > 194.62.232.72.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.361043 IP 85.25.140.98.111 > 194.62.232.75.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.361530 IP 85.25.140.98.111 > 194.62.232.86.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.362024 IP 85.25.140.98.111 > 194.62.232.80.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.362523 IP 85.25.140.98.111 > 194.62.232.88.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.362995 IP 85.25.140.98.111 > 194.62.232.82.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.363473 IP 85.25.140.98.111 > 194.62.232.81.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.363973 IP 85.25.140.98.111 > 194.62.232.84.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.364507 IP 85.25.140.98.111 > 194.62.232.83.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.365012 IP 85.25.140.98.111 > 194.62.232.89.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.365545 IP 85.25.140.98.111 > 194.62.232.94.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.366072 IP 85.25.140.98.111 > 194.62.232.91.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.366606 IP 85.25.140.98.111 > 194.62.232.103.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.367094 IP 85.25.140.98.111 > 194.62.232.102.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.367625 IP 85.25.140.98.111 > 194.62.232.92.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.368128 IP 85.25.140.98.111 > 194.62.232.104.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.368752 IP 85.25.140.98.111 > 194.62.232.105.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.369921 IP 85.25.140.98.111 > 194.62.232.106.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.371132 IP 85.25.140.98.111 > 194.62.232.107.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.371709 IP 85.25.140.98.111 > 194.62.232.111.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.372261 IP 85.25.140.98.111 > 194.62.232.108.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.375002 IP 85.25.140.98.111 > 194.62.232.110.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.375516 IP 85.25.140.98.111 > 194.62.232.109.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.377135 IP 85.25.140.98.111 > 194.62.232.125.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.378671 IP 85.25.140.98.111 > 194.62.232.126.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.379775 IP 85.25.140.98.111 > 194.62.232.134.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.380363 IP 85.25.140.98.111 > 194.62.232.133.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.380932 IP 85.25.140.98.111 > 194.62.232.135.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.381495 IP 85.25.140.98.111 > 194.62.232.138.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.383500 IP 85.25.140.98.111 > 194.62.232.178.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.384057 IP 85.25.140.98.111 > 194.62.232.176.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.384584 IP 85.25.140.98.111 > 194.62.232.177.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.385065 IP 85.25.140.98.111 > 194.62.232.200.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.388846 IP 85.25.140.98.111 > 194.62.232.225.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.389447 IP 85.25.140.98.111 > 194.62.232.226.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.390032 IP 85.25.140.98.111 > 194.62.232.235.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.390638 IP 85.25.140.98.111 > 194.62.232.236.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.391838 IP 85.25.140.98.111 > 194.62.232.252.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.392409 IP 85.25.140.98.111 > 194.62.232.253.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.522335 IP 85.25.140.98.111 > 194.62.238.1.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.522943 IP 85.25.140.98.111 > 194.62.238.2.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.523520 IP 85.25.140.98.111 > 194.62.238.3.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.524008 IP 85.25.140.98.111 > 194.62.238.7.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.524488 IP 85.25.140.98.111 > 194.62.238.13.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.524962 IP 85.25.140.98.111 > 194.62.238.9.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.525454 IP 85.25.140.98.111 > 194.62.238.6.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.525924 IP 85.25.140.98.111 > 194.62.238.8.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.526422 IP 85.25.140.98.111 > 194.62.238.4.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.526897 IP 85.25.140.98.111 > 194.62.238.5.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.527389 IP 85.25.140.98.111 > 194.62.238.14.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.527871 IP 85.25.140.98.111 > 194.62.238.15.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.528368 IP 85.25.140.98.111 > 194.62.238.11.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.528862 IP 85.25.140.98.111 > 194.62.238.12.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.529458 IP 85.25.140.98.111 > 194.62.238.10.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.530021 IP 85.25.140.98.111 > 194.62.238.16.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.530598 IP 85.25.140.98.111 > 194.62.238.17.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.531071 IP 85.25.140.98.111 > 194.62.238.22.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.531636 IP 85.25.140.98.111 > 194.62.238.21.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.532251 IP 85.25.140.98.111 > 194.62.238.19.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.532860 IP 85.25.140.98.111 > 194.62.238.18.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.533424 IP 85.25.140.98.111 > 194.62.238.20.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.534003 IP 85.25.140.98.111 > 194.62.238.23.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.534654 IP 85.25.140.98.111 > 194.62.238.30.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.535211 IP 85.25.140.98.111 > 194.62.238.33.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.535702 IP 85.25.140.98.111 > 194.62.238.35.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.536183 IP 85.25.140.98.111 > 194.62.238.25.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.536780 IP 85.25.140.98.111 > 194.62.238.28.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.537263 IP 85.25.140.98.111 > 194.62.238.24.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.537790 IP 85.25.140.98.111 > 194.62.238.27.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.538352 IP 85.25.140.98.111 > 194.62.238.26.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.539036 IP 85.25.140.98.111 > 194.62.238.37.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.539463 IP 85.25.140.98.111 > 194.62.238.29.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.540079 IP 85.25.140.98.111 > 194.62.238.31.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.540589 IP 85.25.140.98.111 > 194.62.238.32.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.541059 IP 85.25.140.98.111 > 194.62.238.40.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.541552 IP 85.25.140.98.111 > 194.62.238.34.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.542045 IP 85.25.140.98.111 > 194.62.238.36.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.542558 IP 85.25.140.98.111 > 194.62.238.44.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.543042 IP 85.25.140.98.111 > 194.62.238.38.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.543589 IP 85.25.140.98.111 > 194.62.238.39.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.544142 IP 85.25.140.98.111 > 194.62.238.47.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.544748 IP 85.25.140.98.111 > 194.62.238.41.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.545356 IP 85.25.140.98.111 > 194.62.238.42.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.545961 IP 85.25.140.98.111 > 194.62.238.43.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.546507 IP 85.25.140.98.111 > 194.62.238.50.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.546994 IP 85.25.140.98.111 > 194.62.238.45.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.547484 IP 85.25.140.98.111 > 194.62.238.46.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.547984 IP 85.25.140.98.111 > 194.62.238.53.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.548571 IP 85.25.140.98.111 > 194.62.238.54.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.549069 IP 85.25.140.98.111 > 194.62.238.49.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.549567 IP 85.25.140.98.111 > 194.62.238.48.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.550064 IP 85.25.140.98.111 > 194.62.238.56.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.550877 IP 85.25.140.98.111 > 194.62.238.52.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.551506 IP 85.25.140.98.111 > 194.62.238.51.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.552191 IP 85.25.140.98.111 > 194.62.238.58.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.552805 IP 85.25.140.98.111 > 194.62.238.55.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.553514 IP 85.25.140.98.111 > 194.62.238.61.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.554113 IP 85.25.140.98.111 > 194.62.238.57.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.554713 IP 85.25.140.98.111 > 194.62.238.63.111: S

1005459691:1005459691(0) win 138

2007-05-08 02:28:41.555298 IP 85.25.140.98.111 > 194.62.238.68.111: S

1005459691:1005459691(0) win 138


<rest of scan removed>

--------------------------------------------

Heisst das ich wurde gehackt? Wie kann ich dieses Problem lösen? Ich habe noch genau 5 Stunden und 45 Min. Vielen dank im vorraus.

Firewire2002 · May 8, 2007

Poste mal die Ausgabe von

Code:

netstat -anp | grep -v unix

chapchap · May 8, 2007

Was für einen Server hast du?
Betriebssystem? Welche Applikationen etc. laufen drauf?

Nimu · May 8, 2007

ich habe einen sever bei server4you worauf suse linux und confixx installiert sind. Ich betreibe auf dem Server eine Joomla seite und ein Invision Power Board. Soll ich diesen befehl bei ssh eingeben?

Firewire2002 · May 8, 2007

Ja.

<Post füller>

Nimu · May 8, 2007

Code:

tcp        0      0 85.25.140.98:868        64.108.5.51:111         TIME_WAIT   -
tcp        0      0 85.25.140.98:37636      64.92.226.116:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:54852      213.39.191.98:2329      TIME_WAIT   -
tcp        0      0 85.25.140.98:37150      213.39.191.98:2142      TIME_WAIT   -
tcp        0      0 85.25.140.98:38620      213.39.191.98:2137      TIME_WAIT   -
tcp        0      0 85.25.140.98:53847      88.111.224.7:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:25505      213.39.191.98:2220      TIME_WAIT   -
tcp        0      0 85.25.140.98:869        64.108.5.49:111         TIME_WAIT   -
tcp        0      0 85.25.140.98:37983      213.39.191.98:2141      TIME_WAIT   -
tcp        0      0 85.25.140.98:676        64.105.171.157:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:35302      213.39.191.98:2113      TIME_WAIT   -
tcp        0      0 85.25.140.98:54611      213.39.191.98:2078      TIME_WAIT   -
tcp        0      0 85.25.140.98:59922      213.39.191.98:2081      TIME_WAIT   -
tcp        0      0 85.25.140.98:40891      64.106.147.56:111       TIME_WAIT   -
tcp        0      1 85.25.140.98:36516      64.62.252.18:111        FIN_WAIT1   -
tcp        0      0 85.25.140.98:865        64.108.5.52:111         TIME_WAIT   -
tcp        0      0 85.25.140.98:37299      64.106.147.55:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:864        64.108.5.53:111         TIME_WAIT   -
tcp        0      0 85.25.140.98:44027      213.39.191.98:2145      TIME_WAIT   -
tcp        0      0 85.25.140.98:35262      213.39.191.98:2115      TIME_WAIT   -
tcp        0      0 85.25.140.98:31122      213.39.191.98:2236      TIME_WAIT   -
tcp        0      0 85.25.140.98:26290      213.39.191.98:2211      TIME_WAIT   -
tcp        0      0 85.25.140.98:63961      213.39.191.98:2109      TIME_WAIT   -
tcp        0      0 85.25.140.98:22383      213.39.191.98:2192      TIME_WAIT   -
tcp        0      0 85.25.140.98:22183      213.39.191.98:2193      TIME_WAIT   -
tcp        0      0 85.25.140.98:62558      213.39.191.98:2098      TIME_WAIT   -
tcp        0      0 85.25.140.98:63703      213.39.191.98:2110      TIME_WAIT   -
tcp        0      0 85.25.140.98:9828       213.39.191.98:2279      TIME_WAIT   -
tcp        0      0 85.25.140.98:61301      213.39.191.98:2350      TIME_WAIT   -
tcp        0      0 85.25.140.98:46251      64.92.226.94:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:16853      213.39.191.98:2176      TIME_WAIT   -
tcp        0      1 85.25.140.98:50453      88.109.163.94:111       SYN_SENT    3211/synscan
tcp        0      0 85.25.140.98:33287      213.39.191.98:2112      TIME_WAIT   -
tcp        0      0 85.25.140.98:35598      213.39.191.98:2134      TIME_WAIT   -
tcp        0      1 85.25.140.98:42586      74.224.11.5:111         SYN_SENT    3632/synscan
tcp        0      1 85.25.140.98:60919      151.202.100.11:111      SYN_SENT    3633/synscan
tcp        0      0 85.25.140.98:58633      213.39.191.98:2107      TIME_WAIT   -
tcp        0      0 85.25.140.98:35879      213.39.191.98:2132      TIME_WAIT   -
tcp        0      0 85.25.140.98:26322      213.39.191.98:2238      TIME_WAIT   -
tcp        0      0 85.25.140.98:29775      213.39.191.98:2223      TIME_WAIT   -
tcp        0      0 85.25.140.98:57879      213.39.191.98:2361      TIME_WAIT   -
tcp        0      0 85.25.140.98:6689       213.39.191.98:2241      TIME_WAIT   -
tcp        0      1 85.25.140.98:45450      151.202.119.66:111      SYN_SENT    3622/synscan
tcp        0      0 85.25.140.98:42675      213.39.191.98:2173      TIME_WAIT   -
tcp        0      0 85.25.140.98:46888      213.39.191.98:2157      TIME_WAIT   -
tcp        0     45 85.25.140.98:727        64.80.146.130:111       FIN_WAIT1   -
tcp        0      0 85.25.140.98:64523      213.39.191.98:2347      TIME_WAIT   -
tcp        0      0 85.25.140.98:61943      213.39.191.98:2086      TIME_WAIT   -
tcp        0      0 85.25.140.98:33219      64.105.165.9:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:34705      64.106.147.58:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:37810      213.39.191.98:2370      TIME_WAIT   -
tcp        0      0 85.25.140.98:22086      213.39.191.98:2181      TIME_WAIT   -
tcp        0      0 85.25.140.98:34170      64.107.166.14:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:64686      213.39.191.98:2095      TIME_WAIT   -
tcp        0      1 85.25.140.98:60378      71.247.74.17:111        SYN_SENT    3501/synscan
tcp        0      0 85.25.140.98:49543      64.107.133.104:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:60418      213.39.191.98:2366      TIME_WAIT   -
tcp        0      0 85.25.140.98:20204      213.39.191.98:2204      TIME_WAIT   -
tcp        0      0 85.25.140.98:56254      213.39.191.98:2102      TIME_WAIT   -
tcp        0      0 85.25.140.98:43462      88.111.215.107:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:47237      213.39.191.98:2135      TIME_WAIT   -
tcp        0      0 85.25.140.98:58434      64.94.235.42:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:42005      64.108.66.241:111       TIME_WAIT   -
tcp        0      1 85.25.140.98:37661      88.111.144.16:111       SYN_SENT    3619/synscan
tcp        0      0 85.25.140.98:15872      213.39.191.98:2262      TIME_WAIT   -
tcp        0      0 85.25.140.98:55413      213.39.191.98:2099      TIME_WAIT   -
tcp        0      0 85.25.140.98:56735      64.106.147.90:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:43767      64.105.5.182:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:24954      213.39.191.98:2180      TIME_WAIT   -
tcp        0      0 85.25.140.98:55598      213.39.191.98:2108      TIME_WAIT   -
tcp        0     45 85.25.140.98:625        64.73.225.218:111       FIN_WAIT1   -
tcp        1      1 85.25.140.98:56437      64.83.72.182:111        LAST_ACK    -
tcp        0      0 85.25.140.98:54404      64.106.147.95:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:17440      213.39.191.98:2210      TIME_WAIT   -
tcp        0      0 85.25.140.98:60176      64.107.246.5:111        TIME_WAIT   -
tcp        0      0 85.25.140.98:43980      64.94.235.107:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:46524      64.106.147.57:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:36770      64.107.133.20:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:859        64.107.230.251:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:56154      213.39.191.98:2360      TIME_WAIT   -
tcp        0      0 85.25.140.98:891        64.108.123.98:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:42475      213.39.191.98:2118      TIME_WAIT   -
tcp        0      0 85.25.140.98:857        64.107.230.249:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:30313      213.39.191.98:2187      TIME_WAIT   -
tcp        0      0 85.25.140.98:40260      213.39.191.98:2144      TIME_WAIT   -
tcp        0      0 85.25.140.98:46272      213.39.191.98:2377      TIME_WAIT   -
tcp        0      0 85.25.140.98:42659      213.39.191.98:2139      TIME_WAIT   -
tcp        0     45 85.25.140.98:777        64.70.254.211:111       FIN_WAIT1   -
tcp        0      0 85.25.140.98:7880       213.39.191.98:2273      TIME_WAIT   -
tcp        0     45 85.25.140.98:778        64.70.254.209:111       FIN_WAIT1   -
tcp        0      0 85.25.140.98:18965      213.39.191.98:2227      TIME_WAIT   -
tcp        0      0 85.25.140.98:51606      64.106.131.76:111       TIME_WAIT   -
tcp        0      0 85.25.140.98:28823      213.39.191.98:2185      TIME_WAIT   -
tcp        0      0 85.25.140.98:10072      213.39.191.98:2271      TIME_WAIT   -
tcp        0      0 85.25.140.98:46795      213.39.191.98:2125      TIME_WAIT   -
tcp        0      0 85.25.140.98:41581      213.39.191.98:2136      TIME_WAIT   -
tcp        0      0 85.25.140.98:677        64.105.199.195:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:667        64.105.199.195:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:15696      213.39.191.98:2248      TIME_WAIT   -
tcp        0      0 85.25.140.98:40081      213.39.191.98:2153      TIME_WAIT   -
tcp        0      0 85.25.140.98:645        64.104.252.247:111      TIME_WAIT   -
tcp        0      0 85.25.140.98:53682      213.39.191.98:2085      TIME_WAIT   -
tcp        0      1 85.25.140.98:49652      86.132.101.66:111       SYN_SENT    3659/synscan
tcp        0      0 85.25.140.98:12765      213.39.191.98:2247      TIME_WAIT   -
tcp        0      0 85.25.140.98:32071      213.39.191.98:2188      TIME_WAIT   -
tcp        0      0 85.25.140.98:48460      213.39.191.98:2124      TIME_WAIT   -
tcp        0      1 85.25.140.98:33835      70.23.239.25:111        SYN_SENT    3620/synscan
tcp        1      1 85.25.140.98:53222      64.83.38.220:111        LAST_ACK    -
tcp        0      0 85.25.140.98:53887      64.107.218.5:111        TIME_WAIT   -
tcp        0      1 85.25.140.98:41062      88.111.235.66:111       SYN_SENT    3352/synscan
tcp        0      0 85.25.140.98:39984      64.107.115.227:111      ESTABLISHED 4054/synscan
tcp        0      0 85.25.140.98:39984      64.107.115.227:111      ESTABLISHED 4054/synscan
udp        0      0 85.25.140.98:59912      85.25.128.10:53         ESTABLISHED 4124/synscan
udp        0      0 85.25.140.98:59919      85.25.128.10:53         ESTABLISHED -
udp        0      0 85.25.140.98:59920      85.25.128.10:53         ESTABLISHED -
raw    51120      0 0.0.0.0:1               0.0.0.0:*               7           5089/ttymon
raw   105252      0 0.0.0.0:1               0.0.0.0:*               7           5089/ttymon
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
echo851:~ #

dann kommt das raus

Firewire2002 · May 8, 2007

Kill alle synscan Prozesse.

Code:

kill -9 synscan

Edit:
Ja, du wurdest gehackt.
Server im Rescue booten, Problemstelle suchen/finden über die eingedrungen wurde, Server neuaufsetzen und Sicherheitsloch stopfen.
In der Regel sinds PHP Scripte oder CGI Tools.

Oder deine Passwörter waren zu unsicher.

Edit 2:
Wege gibts viele.
Die von mir eben genannten sind nur die häufigsten Fälle. Es gibt noch andere Möglichkeiten.

chapchap · May 8, 2007

Sehr wahrscheinlich joomla.
Hast du die aktuellste joomla version drauf gehabt?
(Selbst wenn, ist es nicht sicher aber nur mal so aus Interesse)

Nimu · May 8, 2007

Firewire2002 said:
Server im Rescue booten, Problemstelle suchen/finden über die eingedrungen wurde, Server neuaufsetzen und Sicherheitsloch stopfen.
In der Regel sinds PHP Scripte oder CGI Tools.

wie geht das? gibt es irgendwo eine anleitung dafür?

Server im Rescue booten, Problemstelle suchen/finden über die eingedrungen wurde, Server neuaufsetzen und Sicherheitsloch stopfen.
In der Regel sinds PHP Scripte oder CGI Tools.

ja ich hab die aktuelleste version drauf

Firewire2002 · May 8, 2007

Server im Rescue booten:
Im Kundeninterface von Server4You.
Problemstelle suchen/finden über die eingedrungen wurde:
Alle Logfiles lesen und verstehen bis Problemstelle gefunden
Server neuaufsetzen:
Im Kundeninterface von Server4You.
Sicherheitsloch stopfen:
Je nach Problem ist dies unterschiedlich.

Nimu · May 8, 2007

zur tatzeit ist das hier bei mir passiert

Code:

May  7 04:06:38 echo851 sshd[8746]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:06:40 echo851 sshd[8750]: Invalid user fluffy from ::ffff:200.123.187.136
May  7 04:06:40 echo851 sshd[8750]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:06:42 echo851 sshd[8752]: Invalid user admin from ::ffff:200.123.187.136
May  7 04:06:42 echo851 sshd[8752]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:06:47 echo851 sshd[8758]: Invalid user test from ::ffff:200.123.187.136
May  7 04:06:47 echo851 sshd[8758]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:06:50 echo851 sshd[8762]: Invalid user guest from ::ffff:200.123.187.136
May  7 04:06:50 echo851 sshd[8762]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:06:59 echo851 sshd[8766]: Invalid user webmaster from ::ffff:200.123.187.136
May  7 04:06:59 echo851 sshd[8766]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:01 echo851 sshd[8777]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:01 echo851 /usr/sbin/cron[8783]: (root) CMD (/usr/local/bin/maildircheck.sh >/dev/null 2>&1)
May  7 04:07:03 echo851 sshd[8785]: Invalid user oracle from ::ffff:200.123.187.136
May  7 04:07:03 echo851 sshd[8785]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:06 echo851 sshd[8789]: Invalid user library from ::ffff:200.123.187.136
May  7 04:07:06 echo851 sshd[8789]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:08 echo851 sshd[8792]: Invalid user info from ::ffff:200.123.187.136
May  7 04:07:08 echo851 sshd[8792]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:11 echo851 sshd[8794]: Invalid user shell from ::ffff:200.123.187.136
May  7 04:07:11 echo851 sshd[8794]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:14 echo851 sshd[8796]: Invalid user linux from ::ffff:200.123.187.136
May  7 04:07:14 echo851 sshd[8796]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:16 echo851 sshd[8800]: Invalid user unix from ::ffff:200.123.187.136
May  7 04:07:16 echo851 sshd[8800]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:18 echo851 sshd[8803]: Invalid user webadmin from ::ffff:200.123.187.136
May  7 04:07:18 echo851 sshd[8803]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:21 echo851 sshd[8809]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:23 echo851 sshd[8811]: Invalid user test from ::ffff:200.123.187.136
May  7 04:07:28 echo851 sshd[8811]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:29 echo851 sshd[8813]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:31 echo851 sshd[8815]: Invalid user admin from ::ffff:200.123.187.136
May  7 04:07:31 echo851 sshd[8815]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:34 echo851 sshd[8818]: Invalid user guest from ::ffff:200.123.187.136
May  7 04:07:34 echo851 sshd[8818]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:36 echo851 sshd[8820]: Invalid user master from ::ffff:200.123.187.136
May  7 04:07:36 echo851 sshd[8820]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:43 echo851 sshd[8824]: Invalid user apache from ::ffff:200.123.187.136
May  7 04:07:43 echo851 sshd[8824]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
May  7 04:07:46 echo851 sshd[8826]: reverse mapping checking getaddrinfo for customer123-187-136.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!

was wäre daraus die logische schlussfolgerung bzw sicherheitstool?

Darkdream · May 8, 2007

Das niemand über SSH reingekommen ist. Check dein access_log, dort wirst du eher was finden (auf das Tippe ich zumindest, die Software die du einsetzt ist das sehr anfällig).

Und bitte verwende CODE-Tags.

Firewire2002 · May 8, 2007

Zumal, wie kommst du bitte auf die "Tatzeit"?
Der Übeltäter könnte eben so gut vor einer Woche oder einem Monat in das System eingedrungen sein.

Nimu · May 8, 2007

könnte ich nicht fürs erste meinem server "verbieten" diese eine funktion auszuführen die zum abuse geführt hat bis ich genau weiss wo das problem liegt?

V40 · May 8, 2007

Hallo,

tu uns (und dir) den gefallen und schicke den Server endlich ins Rescue.
Wie es bereits weiter oben erwähnt wurde.

Ansonsten wirst du nur noch mehr Ärger haben, das ist keine Androhung!
Das sind Erfahrungswerte!

Firewire2002 · May 8, 2007

Klar kannst du die synscan Prozesse killen. Was ich dir im übrigen schon einmal gesagt habe.
Aber die Lücke bleibt damit offen und der "Übeltäter" kann damit jeder Zeit das Programm wieder starten.

Deswegen einzigst sinnvolle Lösung um das Ganze in Ruhe angehen zu können:
Rescue-Mode

(Nun Zum 3. oder 4. Mal.

)

Nimu · May 8, 2007

ok rescue mode und dann?

sorry ich kenn mich wirklich nicht so gut damit aus...

Darkdream · May 8, 2007

Das was schon zig Mal geschrieben wurde:

Rescue, dann mountest du deine Platte, dann suchst du einmal die Lücke in den Logfiles, schließt diese, machst ein Backup und setzt den Server neu auf.

Und schau dir einmal diesen Link an, Punkt 3.2 ist ein heißer Tipp für dich!

Nimu · May 8, 2007

tut mir leid es kennt sich damit nicht jeder so aus wie ihr. Trotzdem danke und schönen abend noch.

V40 · May 8, 2007

Hallo,

das erwartet auch niemand.
Aber es wäre schon toll wenn man die Antworten, die man erhält auf seine Fragen, auch liest.

Abuse über meinen Server?

Registered User

Registered User

New Member

Registered User

Registered User

Registered User

Registered User

New Member

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Caspar

Registered User

Registered User

Registered User

Registered User

Caspar

We value your privacy