V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
通过以下 Referral 链接购买 DigitalOcean 主机,你将可以帮助 V2EX 持续发展
DigitalOcean - SSD Cloud Servers
zijian
V2EX  ›  VPS

DO 账号被封,貌似主机被黑了

  •  
  •   zijian · 2014-03-22 12:11:20 +08:00 · 1746 次点击
    这是一个创建于 3901 天前的主题,其中的信息可能已经有所发展或是发生改变。
    这几天陆续接到DigitalOcean的邮件,告诉我好像主机被别人利用做什么攻击了,具体我也看不太懂,过了几天,就在昨晚,他们终于把我账号封了,主机也操作不了,我贴出日志,大家帮忙看看我下面该怎么做,怎么和DO解释。
    17 条回复    1970-01-01 08:00:00 +08:00
    zijian
        1
    zijian  
    OP
       2014-03-22 12:12:11 +08:00
    Please review the following abuse complaint and provide us with a resolution:

    ******************************
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Date : 12-03-2014 10:54:06 hs
    Send to: [email protected]
    ============================================================

    You are receiving this message because you are listed as the contact for the IP 162.243.149.107 on the RIPE ().
    This message is intended for the person responsible for computer security at your site. If this is not the correct address, please forward this message to the appropriate party.

    Incident Number: TN-632445/2014
    ===========================================

    Dear Administrator,

    We have detected a recent scan probe in our servers. This security incident seems to be originated from an IP address registered to your network.
    Here follows the log records regarding such incidente.

    Timezone in UTC.

    ###begin###

    2014-03-11 14:36:24 pass TCP from 162.243.149.107:36327 to 143.106.XXX.204:9090
    2014-03-11 14:37:49 pass TCP from 162.243.149.107:33004 to 143.106.XXX.219:9090
    2014-03-11 14:38:36 pass TCP from 162.243.149.107:42971 to 143.106.XXX.228:9090
    2014-03-11 14:38:53 pass TCP from 162.243.149.107:42789 to 143.106.XXX.247:9090
    2014-03-11 14:39:02 pass TCP from 162.243.149.107:50509 to 143.106.XXX.203:9090
    2014-03-11 14:39:34 pass TCP from 162.243.149.107:35213 to 143.106.XXX.240:9090
    2014-03-11 14:40:53 pass TCP from 162.243.149.107:52631 to 143.106.XXX.220:9090
    2014-03-11 14:41:14 pass TCP from 162.243.149.107:36356 to 143.106.XXX.204:9090
    2014-03-11 14:42:22 pass TCP from 162.243.149.107:41720 to 143.106.XXX.251:9090
    2014-03-11 14:43:15 pass TCP from 162.243.149.107:60097 to 143.106.XXX.232:9090
    [...]
    2014-03-11 16:33:56 pass TCP from 162.243.149.107:48371 to 143.106.XXX.253:443
    2014-03-11 16:34:01 pass TCP from 162.243.149.107:44165 to 143.106.XXX.206:443
    2014-03-11 16:34:02 pass TCP from 162.243.149.107:47445 to 143.106.XXX.240:443
    2014-03-11 16:34:02 pass TCP from 162.243.149.107:47445 to 143.106.XXX.240:443
    2014-03-11 16:34:03 pass TCP from 162.243.149.107:50362 to 143.106.XXX.227:443
    2014-03-11 16:34:10 pass TCP from 162.243.149.107:34954 to 143.106.XXX.254:443
    2014-03-11 16:34:18 pass TCP from 162.243.149.107:43724 to 143.106.XXX.238:443
    2014-03-11 16:34:18 pass TCP from 162.243.149.107:43724 to 143.106.XXX.238:443
    2014-03-11 16:34:20 pass TCP from 162.243.149.107:55631 to 143.106.XXX.202:443
    2014-03-11 16:34:31 pass TCP from 162.243.149.107:47474 to 143.106.XXX.201:443

    ###end###

    We are asking for your help in order to identify who did chose conections and what was his/her purpose.
    You should investigate this suspicious activity because it could mean that your network has been compromised and is being used as a launch point for attacks, or someone of your legitimate users are doing hacking activities.
    We would like to inform that we maintain a database with all incident reporting and tracking of State University of Campinas and we need your response as soon as possible to resolve this entry.
    zijian
        2
    zijian  
    OP
       2014-03-22 12:12:34 +08:00
    We have blocked someone from your IP space for abuse. Reason: Port_Scanning. Log lines are below. Time zone is UTC.

    2014-03-21T06:02:00+00:00 slurp 1395381719.608702 - - - - - - - - tcp Scan::Address_Scan 162.243.149.107 scanned at least 52 unique hosts on port 8080/tcp in 0m30s remote 162.243.149.107 - 8080 - slurp4-8 Notice::ACTION_LOG 3600.000000 F - - - - -

    I am writing to inform you so that you can take whatever action is necessary to prevent this user from doing this again. We would be happy to discuss further if you would like. Please feel free to respond to this email to follow up.
    zijian
        3
    zijian  
    OP
       2014-03-22 12:12:57 +08:00
    We have detected abuse from the IP address 162.243.149.107. See below for how we obtained your email address in case it is wrong. We would appreciate if you would investigate and take action as appropriate.

    ** THIS IP ADDRESS IS NULL ROUTED on our entire network, including peering and transit, for a period of time not exceeding 24 hours from the date and time of this email. YOU ARE NOT REQUIRED to reply to this email unless you need more information.

    You can see more information on this incident by reviewing the data at http://darknet.superb.net/ip/162.243.149.107 and log lines are given below. Please ask if you require any further information.

    You may contact us at [email protected]
    (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by an automated process.)

    The recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information they provide derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email ([email protected]). Information about the Abuse Contact Database can be found here:
    http://abusix.com/global-reporting/abuse-contact-db

    abusix.com is neither responsible nor liable for the content or accuracy of this message.

    Note: Local timezone is -0400 (EDT)
    /var/log/messages:Mar 21 03:17:24 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 11 times in a 30 minute period
    /var/log/messages:Mar 21 03:47:24 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 15 times in a 30 minute period
    /var/log/messages:Mar 21 04:17:24 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 19 times in a 30 minute period
    /var/log/messages:Mar 21 04:47:24 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 14 times in a 30 minute period
    /var/log/messages:Mar 21 05:17:24 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 15 times in a 30 minute period
    /var/log/messages:Mar 21 07:47:25 darknet.superb.net Darknet: 162.243.149.107 exceeded connection attempt threshold to tcp:8080 15 times in a 30 minute period
    zijian
        4
    zijian  
    OP
       2014-03-22 12:13:22 +08:00
    162.243.149.107 was observed probing caltech.edu for security holes. It
    has been blocked at our border routers. It may be compromised.

    For more info contact [email protected]
    Please include the entire subject line of the original message

    Blake

    (time zone of log is PDT, which is UTC-07:00, date is MMDD)
    log entries are from Cisco netflow, time is flow start time
    date.time srcIP srcPort dstIP dstPort proto #pkts
    0320.23:01:48.420 162.243.149.107 46152 131.215.135.191 8080 6 2
    0320.23:02:10.853 162.243.149.107 57528 131.215.154.0 8080 6 1
    0320.23:01:25.882 162.243.149.107 53225 134.4.235.178 8080 6 1
    0320.23:01:26.134 162.243.149.107 59304 131.215.153.101 8080 6 1
    0320.23:01:26.328 162.243.149.107 39040 134.4.121.68 8080 6 1
    0320.23:01:24.727 162.243.149.107 53630 131.215.82.97 8080 6 1
    0320.23:01:24.919 162.243.149.107 42822 134.4.162.162 8080 6 1
    0320.23:01:25.624 162.243.149.107 40470 134.4.220.73 8080 6 1
    0320.23:01:26.776 162.243.149.107 54059 131.215.80.189 8080 6 1
    0320.23:01:24.864 162.243.149.107 54581 131.215.146.113 8080 6 1
    0320.23:01:26.208 162.243.149.107 53385 134.4.151.55 8080 6 1
    0320.23:01:26.720 162.243.149.107 52704 131.215.2.61 8080 6 1
    0320.23:01:27.745 162.243.149.107 36567 134.4.146.2 8080 6 1
    0320.23:01:25.183 162.243.149.107 36047 131.215.5.217 8080 6 1
    0320.23:01:25.505 162.243.149.107 35974 134.4.242.118 8080 6 1
    0320.23:01:25.824 162.243.149.107 45020 134.4.22.99 8080 6 1
    0320.23:01:26.721 162.243.149.107 58952 131.215.36.159 8080 6 1
    0320.23:01:26.848 162.243.149.107 36200 134.4.82.140 8080 6 1
    0320.23:02:13.449 162.243.149.107 51692 192.12.19.147 8080 6 2
    0320.23:01:30.871 162.243.149.107 56782 134.4.94.105 8080 6 1
    zijian
        5
    zijian  
    OP
       2014-03-22 12:14:12 +08:00
    This email is from the IT Security Team at Utah State University.

    This email describes suspicious and/or malicious network activity
    that appears to be sourced from your network. We have included
    IP Addresses as well as description, documentation, log snippets,
    and other useful information about this event.

    Please review this information and/or forward to the responsible person.

    Thank you.

    USU Network Security Team
    Utah State University Information Technology
    4410 Old Main Hill
    Logan, UT 84322-4410
    (435)797-1804

    IP/CIDR Address: 162.243.149.107

    Description:
    162.243.149.107 scanned 129.123.0.0/16 for TCP/8080.

    Log Snippet (Timestamps are MDT or GMT -0600):
    Date flow start Duration Src IP Addr Src Pt Dst IP Addr Dst Pt Flags Packets Bytes Proto
    2014-03-21 00:01:35.518 0.000 162.243.149.107 54186 129.123.199.242 8080 ....S. 1 40 6
    2014-03-21 00:01:43.461 0.000 162.243.149.107 44448 129.123.192.79 8080 ....S. 1 40 6
    2014-03-21 00:01:49.975 0.000 162.243.149.107 35538 129.123.9.61 8080 ....S. 1 40 6
    2014-03-21 00:01:51.348 0.000 162.243.149.107 52877 129.123.196.24 8080 ....S. 1 40 6
    2014-03-21 00:01:55.954 0.000 162.243.149.107 35187 129.123.190.237 8080 ....S. 1 40 6
    2014-03-21 00:02:33.003 0.000 162.243.149.107 49553 204.113.91.120 8080 ....S. 1 40 6
    2014-03-21 00:02:33.163 0.000 162.243.149.107 48751 129.123.123.2 8080 ....S. 1 40 6
    2014-03-21 00:02:40.513 0.000 162.243.149.107 41920 129.123.197.7 8080 ....S. 1 40 6
    2014-03-21 00:02:41.530 0.000 162.243.149.107 56188 129.123.192.252 8080 ....S. 1 40 6
    2014-03-21 00:02:42.892 0.000 162.243.149.107 37651 129.123.193.155 8080 ....S. 1 40 6
    2014-03-21 00:03:04.538 0.000 162.243.149.107 47344 129.123.194.226 8080 ....S. 1 40 6
    2014-03-21 00:03:47.055 0.000 162.243.149.107 40401 204.113.91.74 8080 ....S. 1 40 6
    2014-03-21 00:03:50.385 0.060 162.243.149.107 53694 129.123.44.61 8080 ...RS. 2 80 6
    2014-03-21 00:03:50.411 0.000 129.123.44.61 8080 162.243.149.107 53694 .A..S. 1 44 6
    2014-03-21 00:08:47.203 0.000 162.243.149.107 50176 129.123.198.93 8080 ....S. 1 40 6
    2014-03-21 00:09:24.956 0.000 162.243.149.107 50326 129.123.124.234 8080 ....S. 1 40 6
    2014-03-21 00:09:27.489 0.000 162.243.149.107 58694 129.123.194.248 8080 ....S. 1 40 6
    2014-03-21 00:09:28.011 0.000 162.243.149.107 57072 129.123.194.210 8080 ....S. 1 40 6
    2014-03-21 00:09:29.571 0.000 162.243.149.107 45935 129.123.197.155 8080 ....S. 1 40 6
    2014-03-21 00:09:33.720 0.000 162.243.149.107 51744 204.113.91.102 8080 ....S. 1 40 6
    2014-03-21 00:09:49.379 0.000 162.243.149.107 56471 129.123.193.71 8080 ....S. 1 40 6
    2014-03-21 00:10:25.112 0.000 162.243.149.107 40316 129.123.196.105 8080 ....S. 1 40 6
    2014-03-21 00:10:48.854 0.000 162.243.149.107 41611 129.123.197.144 8080 ....S. 1 40 6
    2014-03-21 00:10:55.181 0.000 162.243.149.107 52034 129.123.6.127 8080 ....S. 1 40 6
    2014-03-21 00:11:03.626 0.000 162.243.149.107 60301 129.123.6.118 8080 ....S. 1 40 6
    2014-03-21 00:11:29.760 0.000 162.243.149.107 35350 129.123.144.26 8080 ....S. 1 40 6
    2014-03-21 00:11:48.487 0.000 162.243.149.107 39401 129.123.192.112 8080 ....S. 1 40 6
    2014-03-21 00:11:49.782 0.000 162.243.149.107 57839 129.123.198.2 8080 ....S. 1 40 6
    2014-03-21 00:11:53.511 0.000 162.243.149.107 38133 129.123.198.136 8080 ....S. 1 40 6
    2014-03-21 00:11:53.867 0.000 162.243.149.107 37319 129.123.192.193 8080 ....S. 1 40 6
    2014-03-21 00:11:56.838 0.000 162.243.149.107 46309 129.123.199.175 8080 ....S. 1 40 6
    2014-03-21 00:34:25.287 0.000 162.243.149.107 56388 129.123.194.146 8080 ....S. 1 40 6
    2014-03-21 00:34:26.495 0.000 162.243.149.107 36881 129.123.123.148 8080 ....S. 1 40 6
    2014-03-21 00:34:29.941 0.000 162.243.149.107 43752 129.123.198.104 8080 ....S. 1 40 6
    2014-03-21 00:34:54.575 0.000 162.243.149.107 52018 129.123.47.237 8080 ....S. 1 40 6
    2014-03-21 00:34:58.348 0.000 162.243.149.107 54173 129.123.193.205 8080 ....S. 1 40 6
    2014-03-21 00:35:16.607 0.000 162.243.149.107 34493 204.113.91.75 8080 ....S. 1 40 6
    2014-03-21 00:35:20.663 0.000 162.243.149.107 43534 204.113.91.27 8080 ....S. 1 40 6
    2014-03-21 00:35:21.487 0.000 162.243.149.107 55875 129.123.6.162 8080 ....S. 1 40 6
    2014-03-21 00:35:38.251 0.000 162.243.149.107 56618 129.123.197.93 8080 ....S. 1 40 6
    2014-03-21 00:35:55.060 0.000 162.243.149.107 53639 129.123.199.125 8080 ....S. 1 40 6
    2014-03-21 00:36:02.278 0.000 162.243.149.107 35218 129.123.199.230 8080 ....S. 1 40 6
    2014-03-21 00:36:14.170 0.000 162.243.149.107 41974 129.123.192.249 8080 ....S. 1 40 6
    2014-03-21 00:36:45.131 0.000 162.243.149.107 33579 129.123.195.241 8080 ....S. 1 40 6
    2014-03-21 00:37:42.490 0.000 162.243.149.107 59077 129.123.41.212 8080 ....S. 1 40 6
    2014-03-21 00:37:47.779 0.000 162.243.149.107 34653 129.123.196.199 8080 ....S. 1 40 6
    2014-03-21 00:37:55.391 0.000 162.243.149.107 49662 129.123.196.7 8080 ....S. 1 40 6
    2014-03-21 00:38:02.218 0.000 162.243.149.107 57254 204.113.91.70 8080 ....S. 1 40 6
    2014-03-21 00:38:07.456 0.000 162.243.149.107 45466 129.123.68.69 8080 ....S. 1 40 6
    2014-03-21 00:38:09.532 0.000 162.243.149.107 57929 129.123.6.176 8080 ....S. 1 40 6
    2014-03-21 00:38:21.860 0.000 162.243.149.107 36596 129.123.193.10 8080 ....S. 1 40 6

    Whois data for 162.243.149.107 at time of email:

    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #

    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=162.243.149.107?showDetails=true&showARIN=false&ext=netref2
    #

    NetRange: 162.243.0.0 - 162.243.255.255
    CIDR: 162.243.0.0/16
    OriginAS: AS14061, AS62567, AS46652
    NetName: DIGITALOCEAN-7
    NetHandle: NET-162-243-0-0-1
    Parent: NET-162-0-0-0-0
    NetType: Direct Allocation
    Comment: http://www.digitalocean.com
    Comment: Simple Cloud Hosting
    RegDate: 2013-09-06
    Updated: 2013-09-06
    Ref: http://whois.arin.net/rest/net/NET-162-243-0-0-1

    OrgName: Digital Ocean, Inc.
    OrgId: DO-13
    Address: 270 Lafayette St
    Address: Suite 1105
    City: New York
    StateProv: NY
    PostalCode: 10012
    Country: US
    RegDate: 2012-05-14
    Updated: 2013-12-12
    Ref: http://whois.arin.net/rest/org/DO-13

    OrgAbuseHandle: URETS-ARIN
    OrgAbuseName: Uretsky, Ben
    OrgAbusePhone: +1-646-397-8051
    OrgAbuseEmail: [email protected]
    OrgAbuseRef: http://whois.arin.net/rest/poc/URETS-ARIN

    OrgTechHandle: URETS-ARIN
    OrgTechName: Uretsky, Ben
    OrgTechPhone: +1-646-397-8051
    OrgTechEmail: [email protected]
    OrgTechRef: http://whois.arin.net/rest/poc/URETS-ARIN

    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    zijian
        6
    zijian  
    OP
       2014-03-22 12:14:40 +08:00
    We have noticed suspicious activity from 162.243.149.107 aimed at one of our servers.
    Please investigate this host and disable whichever exploit or malware is causing this activity.
    For more information or questions please refer to our website located at http://www.abuse.bz/

    Here are our raw logs:
    ==
    [2014-03-21 01:12:17 CET] [Timestamp: 1395360738] [10502896.956902] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=77.95.225.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=56231 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 01:13:19 CET] [Timestamp: 1395360800] [10502958.855909] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=128.204.206.251 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=50640 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 01:28:26 CET] [Timestamp: 1395361707] [10503866.019311] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=77.95.230.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=52781 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 01:29:07 CET] [Timestamp: 1395361748] [10503906.972359] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=128.204.205.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=48438 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 02:54:18 CET] [Timestamp: 1395366859] [10509018.004304] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=37.148.160.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=51430 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 02:56:38 CET] [Timestamp: 1395366998] [10509157.619023] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=37.148.167.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=41525 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 03:04:23 CET] [Timestamp: 1395367463] [10509622.740358] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=78.41.201.251 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=44663 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 03:49:06 CET] [Timestamp: 1395370147] [10512305.808307] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=77.95.229.251 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=60979 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 04:26:08 CET] [Timestamp: 1395372369] [10514528.410242] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=89.207.133.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=54742 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 04:46:17 CET] [Timestamp: 1395373578] [10515737.432167] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=89.207.129.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=54989 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 04:55:17 CET] [Timestamp: 1395374117] [10516276.329147] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=37.148.165.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55148 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 04:56:09 CET] [Timestamp: 1395374169] [10516328.251299] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=77.95.226.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=39662 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 04:56:15 CET] [Timestamp: 1395374176] [10516334.771017] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=128.204.197.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=46791 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 05:01:22 CET] [Timestamp: 1395374482] [10516641.835433] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=77.95.224.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=45822 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 06:18:02 CET] [Timestamp: 1395379083] [10521242.515018] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=37.148.166.251 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=36702 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 06:18:53 CET] [Timestamp: 1395379133] [10521292.751364] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=195.20.205.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=37720 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    [2014-03-21 07:31:23 CET] [Timestamp: 1395383484] [10525643.720661] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=162.243.149.107 DST=128.204.204.251 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=51268 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
    a2z
        7
    a2z  
       2014-03-22 12:38:39 +08:00
    基本就是你的vps被用来扫端口了……
    之前我自己测试massscan的时候也被发过这个。
    zijian
        8
    zijian  
    OP
       2014-03-22 12:46:01 +08:00
    @a2z 那還能找他們回復我的賬戶嗎?
    a2z
        9
    a2z  
       2014-03-22 12:47:18 +08:00   ❤️ 1
    @zijian
    那要看他们了。你就说这个和你一点关系都没有,被hacked,让他们重开一台试试
    764664
        10
    764664  
       2014-03-22 12:49:20 +08:00   ❤️ 1
    个人意见:这些记录没有必要一条一条看,总而言之就是你的vps被黑了,过了那么多天你都不处理一直到现在被封其实不太能让人理解。。现在因为已经没有了vps的访问权限已经很难找到被黑的原因,要解释也就是说没做好安全工作被黑了吧,也没更多能解释的了
    zijian
        11
    zijian  
    OP
       2014-03-22 12:49:41 +08:00
    @a2z 嗯 謝謝 我已經和他們解釋了,就說自己不會任何hack技術
    zijian
        12
    zijian  
    OP
       2014-03-22 12:53:12 +08:00
    @764664 嗯 確實因為自己的疏忽,沒有理睬他們的通知,這檯服務器是我用來做測試用的
    moname
        13
    moname  
       2014-03-22 13:00:28 +08:00
    国外商家一般都不会封你的号,若你积极的处理。
    wxstorm
        14
    wxstorm  
       2014-03-22 13:16:24 +08:00
    这几天do确实很慢
    vibbow
        15
    vibbow  
       2014-03-23 03:58:54 +08:00
    人家给你警告了那么多次你都不理...
    SharkIng
        16
    SharkIng  
       2014-03-23 09:28:09 +08:00
    最近好像很多这种,一般都是一些代码或者是程序出了问题,你看看你VPS上跑的东西吧
    workaholic
        17
    workaholic  
       2014-03-24 14:40:12 +08:00
    @zijian 已经抓到它了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5605 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 29ms · UTC 07:44 · PVG 15:44 · LAX 23:44 · JFK 02:44
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.