We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Anti-Hack Anti-Hack‏


skegyuk
24-02-2015, 12:59
Hi Marks,

Thanks for the reply, I will try and re-create the issue, once it is back I will be sure to let you know the IP and Date / Time.

Danny

marks
23-02-2015, 17:23
Hi,

This is 100% a false positive, I recently re-installed a server with Server 2008 left it running over the weekend (Never even connected in) it was suspended on Sunday PM!

I have asked Neil to check it again.

Danny
I would be very surprise if it's a false positive, though we would definitely check it

In any case, when the engineers have detected that traffic, they haven't made it up. That traffic did exist in the network at that time, and it's not allowed. Another thing is whether that should be allowed, which can be discussed.

Could you send us your server name or IP?

Thanks.

alvaroag
23-02-2015, 14:57
I don't think it's a false positive.... It's normal for an antihack system to require to be tuned in order to be fully functional.... Otherwise, false positives occur, because the criteria of the system considers some activity as a hack attempt. But in this case, there IS suspicious activity. It seems improbable that the traffic is fake.

Why don't you try running Wireshark? Check which app generated such traffic. Also, check your process tree (I recommend Procexp from sysinternals). Try tu stop unknown services. Disable IPv6 transition technologies. Also, if you are not using IPv6, disable it on your interfaces.

One of those may help you.

skegyuk
23-02-2015, 13:48
Hi,

This is 100% a false positive, I recently re-installed a server with Server 2008 left it running over the weekend (Never even connected in) it was suspended on Sunday PM!

I have asked Neil to check it again.

Danny

Careimages
16-02-2015, 17:37
Protocol 41 is ipv6 encapsulation and 192.88.99.1 is an IANA reserved address "Addresses starting with "192.88.99." are used by anyone running a 6to4 relay router." Not something your server should be sending out. So possibly some ipv6 process gone wrong?

heise
16-02-2015, 17:02
http://forum.ovh.co.uk/showthread.ph...ll=1#post70061 for official answer.

Ozan
16-02-2015, 16:50
Hello,

windows server but consistently comes this email?
What could be the problem? only here, upload, download in progress.

WindowsServer2008 the operating system installed.
for your help, thanks in advance...




Dear Customer,

The IP address 176.31.196.163 had to be blocked by our services due to
the various alerts received.

Please don't hesitate to contact out technical support team so that this situation does not become critical.

You can find the logs brought up by our system which lead to this alert.

- START OF ADDITIONAL INFO -

Attack detail : 3Kpps/3Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER
2015.02.16 17:37:47 CET 176.31.196.163:0 192.88.99.1:0 41 --- 1128 ATTACK:OTHER



- END OF ADDITIONAL INFO -


OVH Customer Support.