Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


need help, vps suspended by letbox because of port scanning.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

need help, vps suspended by letbox because of port scanning.

blade88blade88 Member

need help to explain firewall log. they say my vps was port scanning on their network, (never do that).
my vps ip is
144.172.68.146
2a0b:ae41::35
2a0b:ae41::36
2a0b:ae41::37
2a0b:ae41::38
thank.
the log.

https://imgur.com/Q4TtT1T
https://imgur.com/jji2yXD

Thanked by 2dahartigan eol
«1

Comments

  • How about

    Well

    I dont know

    Asking your provider through a ticket?

  • already on the ticket, they send me that log.

    Thanked by 1dahartigan
  • Your vps compromised?

  • I think the provider has a duty to prevent others on the node from being compromised. Letbox doesn't have poor reviews except for maybe less than competent English. If you don't know how it happened, I think it is more probable that you don't really know how to secure your server.

  • uptimeuptime Member
    edited March 2019

    looking at that logfile, it seems that you have been owned by a martian source.

    This may be a symptom of inferior pootassiums.

    EDIT2: Good luck with your LetBox

    EDIT3:

    Seriously, I'll be interested to better understand the "martian source" entries.

    Hopefully someone (not me) will have a clue or two to share ...

    EDIT4:

    https://serverfault.com/questions/244648/linux-martian-source-in-var-log-messages/

  • @chocolateshirt said:
    Your vps compromised?

    not sure, but found several trojan on my windows PC. and only using Public Key authentication to login.

    @poisson said:
    I think the provider has a duty to prevent others on the node from being compromised. Letbox doesn't have poor reviews except for maybe less than competent English. If you don't know how it happened, I think it is more probable that you don't really know how to secure your server.

    using centminmod for the no panel and using the default firewall option from centminmod

  • @blade88 said:

    @chocolateshirt said:
    Your vps compromised?

    not sure, but found several trojan on my windows PC. and only using Public Key authentication to login.

    @poisson said:
    I think the provider has a duty to prevent others on the node from being compromised. Letbox doesn't have poor reviews except for maybe less than competent English. If you don't know how it happened, I think it is more probable that you don't really know how to secure your server.

    using centminmod for the no panel and using the default firewall option from centminmod

    Honestly, these information are not very inspiring in terms of how you have been managing your server...

  • blade88 said: but found several trojan on my windows PC

    Your VPS and workstation are compromised. Format both.

  • uptimeuptime Member
    edited March 2019

    Also ... (to my way of seeing this)

    it is your potatoe that is at odds with your buffaloe.

    You must strive to embiggen the pootassiums for both.

    EDIT2:

    but yeah, if you don't know what's going on on your boxen to explain that network activitah ...

    ... kill -9 'em all and let Root sort it out.

  • @vmp32k said:

    blade88 said: but found several trojan on my windows PC

    Your VPS and workstation are compromised. Format both.

    Well, it is a short term solution but unlikely to be a long term one because it appears to me there are deeper underlying issues in terms of technical knowledge of security practices. I mean I haven't had any malware issue for over a decade on Windows, and it is actually quite easy to avoid trojans and stuff if you make it a habit not to click or tap something that doesn't look obviously legitimate.

  • yes, the support say my vps is compromised.

    thank.

    Thanked by 1dahartigan
  • Ask them to secure for u

  • Sometimes ssh keys can be a weakness, like exporting inferior potassium.

    Thanked by 2blade88 eol
  • uptimeuptime Member
    edited March 2019

    @cybertech said:
    Ask them to secure for u

    I dunno ... do they claim to have "uncompromising support" ...?

    If so then yes certainly fair to ask them to "uncompromise" it for you, LOL ...

    Otherwise, maybe not so much.

    EDIT2:

    (Unless iyour LetBox was sold as a "managed" or even "semi-managed service. Otherwise it would be @key900 doing you a favor to go beyond the call of duty. This time. But probably will be wasted effort on his part if you don't study better security practice.)

  • @uptime said:

    @cybertech said:
    Ask them to secure for u

    I dunno ... do they claim to have "uncompromising support" ...?

    If so then yes certainly fair to ask them to "uncompromise" it for you, LOL ...

    Otherwise, maybe not so much.

    EDIT2:

    (Unless iyour LetBox was sold as a "managed" or even "semi-managed service. Otherwise it would be @key900 doing you a favor to go beyond the call of duty. This time. But probably will be wasted effort on his part if you don't study better security practice.)

    its unmanaged. but letbox support is great and helping on this case.

    i still think from the firewall log show, the attack is not from my ip, like

    firewall blocked udp in from SRC=144.172.68.130 to DST=144.172.68.255
    firewall blocked udp in from SRC=144.172.68.126 to DST=144.172.68.255

    and here the reply from their support about above ip

    This the problem your VPs scanning different clients ips

    144.172.68.126
    144.172.68.130

    Thanked by 2eol uptime
  • Good on them for helping.

    Thanked by 1eol
  • eoleol Member

    @blade88 said:
    ... not sure, but found several trojan on my windows PC.

    I am not surprised.
    Windows is a trojan itself.

  • @eol said:

    @blade88 said:
    ... not sure, but found several trojan on my windows PC.

    I am not surprised.
    Windows is a trojan itself.

    It even wipes the MBR

    Thanked by 2eol uptime
  • @blade88 said:

    144.172.68.126
    144.172.68.130

    Interesting that they are assigned to Fran

    Thanked by 1uptime
  • eoleol Member

    @dahartigan said:

    @eol said:

    @blade88 said:
    ... not sure, but found several trojan on my windows PC.

    I am not surprised.
    Windows is a trojan itself.

    It even wipes the MBR

    I see nothing wrong in wiping the MasterBate Record.

    Thanked by 2poisson starservices
  • @eol said:

    @dahartigan said:

    @eol said:

    @blade88 said:
    ... not sure, but found several trojan on my windows PC.

    I am not surprised.
    Windows is a trojan itself.

    It even wipes the MBR

    I see nothing wrong in wiping the MasterBate Record.

    I do, it helps me remember what I've already knocked one out to

    Thanked by 1eol
  • letboxletbox Member, Patron Provider
    edited March 2019

    @uptime said:

    @cybertech said:
    Ask them to secure for u

    I dunno ... do they claim to have "uncompromising support" ...?

    If so then yes certainly fair to ask them to "uncompromise" it for you, LOL ...

    Otherwise, maybe not so much.

    EDIT2:

    (Unless iyour LetBox was sold as a "managed" or even "semi-managed service. Otherwise it would be @key900 doing you a favor to go beyond the call of duty. This time. But probably will be wasted effort on his part if you don't study better security practice.)

    We always do our best to help as we can even thought we are unmanaged, the client issue has been fixed, Hopefully don't got cracked again.

  • letboxletbox Member, Patron Provider

    @AlwaysSkint said:

    @blade88 said:

    144.172.68.126
    144.172.68.130

    Interesting that they are assigned to Fran

    don't got confused We have our owned prefix too.

  • JanevskiJanevski Member
    edited March 2019

    @blade88 It appears that you are a hakor and you should stop haxoring peoples.

    Either that or some of them free hakors done haxored your box and now utilizes it to hak tex worlds.

    Anyhow, it's your responsibility to secure your machine.
    Reinstall from scratch and don't screw up on security this time.

    PS: This too.

    Thanked by 3eol dahartigan letbox
  • While your provider shouldn’t have to “uncompromise” it for you, a good one would be happy to wipe it and reinstate your access. That is assuming this doesn’t become a recurring problem.

    Thanked by 1letbox
  • @key900 said:

    We always do our best to help as we can even thought we are unmanaged, the client issue has been fixed, Hopefully don't got cracked again.

    Wow. I am going with Letbox for my next VPS when I need one. Incredible service (and they actually own their data centers so that's a great bonus). Plus they have good speeds to Asia from my testing of their looking glass (LA if I don't remember wrongly).

    Thanked by 1letbox
  • AlwaysSkintAlwaysSkint Member
    edited March 2019

    @poisson I've used Letbox @key900 for almost a year. Excellent value and good Support. So much so, I changed to another package from them last month (an upgrade, for my needs.)

    Thanked by 2poisson letbox
  • XeiXei Member
    edited March 2019

    @key900 said:

    @uptime said:

    @cybertech said:
    Ask them to secure for u

    I dunno ... do they claim to have "uncompromising support" ...?

    If so then yes certainly fair to ask them to "uncompromise" it for you, LOL ...

    Otherwise, maybe not so much.

    EDIT2:

    (Unless iyour LetBox was sold as a "managed" or even "semi-managed service. Otherwise it would be @key900 doing you a favor to go beyond the call of duty. This time. But probably will be wasted effort on his part if you don't study better security practice.)

    We always do our best to help as we can even thought we are unmanaged, the client issue has been fixed, Hopefully don't got cracked again.

    How often do VPS's get compromised? Is it ever due to the configuration of the base OS template / image? Do providers have time to investigate or do they just destroy the VM?

  • eoleol Member

    If your VPS gets compromised it's usually your own fault.

Sign In or Register to comment.