Can I get some assistance already?
Hi
Yes, I am back. I will try to help out as much as possible.
I will look to grow the forum and to do some clean up.
Thanks
Danny
alvaroag
24-01-2017, 06:12
Originally Posted by
Dani
Hi
I checked through the network logs, including the ones which we have sent you.
Based on the information I have gathered, it appears your server was actively making numerous connections to other OVH IP on 151.80.0.0/16.
Your server was making connections to other servers on the port of 3389, this is windows default Remote Desktop Port (RDP).
This means your server was brute forcing other servers in an attempt to establish a connection for login details.
Due to this network behaviour we had to put the server into rescue-mode to prevent it affecting other customers.
We will provide you with more information in the ticket.
Thanks
Danny
Exactly what I said, but with more details
BTW, Danny, good to see you again around here. Long time no OVH was seen these ways....
Hi
I checked through the network logs, including the ones which we have sent you.
Based on the information I have gathered, it appears your server was actively making numerous connections to other OVH IP on 151.80.0.0/16.
Your server was making connections to other servers on the port of 3389, this is windows default Remote Desktop Port (RDP).
This means your server was brute forcing other servers in an attempt to establish a connection for login details.
Due to this network behaviour we had to put the server into rescue-mode to prevent it affecting other customers.
We will provide you with more information in the ticket.
Thanks
Danny
Originally Posted by
alvaroag
If you cannot change the boot to HDD, then your server has been forced into rescue mode because of Anti-hack, not because of a DDoS attack. That means your server was launching (NOT receiving) some kind of attack (you should have received details on email).
This may have happened because you did not secure your server enough, and it may have been hacked. Remember the AntiDDOS is only for network-level attacks; you are the sole responsible for protecting your server against OS-level and app-level attacks.
Code:
- START OF ADDITIONAL INFORMATION -
Attack detail : 19K scans
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2017.01.22 08:54:39 CET 94.23.195.224:56720 151.80.121.56:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56721 151.80.121.57:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56719 151.80.121.55:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56714 151.80.121.50:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56718 151.80.121.54:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56725 151.80.121.61:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56712 151.80.121.48:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56727 151.80.121.63:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56724 151.80.121.60:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:56715 151.80.121.51:3389 TCP SYN 48 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61414 151.80.69.101:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:59502 151.80.126.177:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61552 151.80.69.181:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61544 151.80.69.176:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61548 151.80.69.178:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61561 151.80.69.184:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61558 151.80.69.183:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61554 151.80.69.182:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61549 151.80.69.179:3389 TCP SYN 52 SCAN:SYN
2017.01.22 08:54:39 CET 94.23.195.224:61563 151.80.69.185:3389 TCP SYN 52 SCAN:SYN
- END OF ADDITIONAL INFORMATION -
Yeah ok buddy
alvaroag
23-01-2017, 15:42
If you cannot change the boot to HDD, then your server has been forced into rescue mode because of Anti-hack, not because of a DDoS attack. That means your server was launching (NOT receiving) some kind of attack (you should have received details on email).
This may have happened because you did not secure your server enough, and it may have been hacked. Remember the AntiDDOS is only for network-level attacks; you are the sole responsible for protecting your server against OS-level and app-level attacks.
First it took me some time to get my account validated then the server had problems and died a couple of times.. And now I cant change netboot because of a DoS attack.
I've been waiting to get help through the ticket system but its taking ages..
I cant change my Netboot from Rescue mode to HDD.. I'm starting to regret turning to SyS.
Ticket ID 4900417 (I think this is the id?)
Login detail: ia67783-sys
