-1

My webserver got blocked by my provider recently for the reason that it was performing an attack to another server. The email contained the following log:

08:26:39.219940 68:05:ca:07:02:01 > 78:fe:3d:46:e8:a5, ethertype IPv4 
(0x0800), length 1057: 5.9.97.70.46156 > 180.97.163.74.80: UDP, length 1015
08:26:39.221584 68:05:ca:07:02:01 > 78:fe:3d:46:e8:a5, ethertype IPv4 
(0x0800), length 1061: 5.9.97.70.55018 > 180.97.163.74.80: UDP, length 1019
08:26:39.221669 68:05:ca:07:02:01 > 78:fe:3d:46:e8:a5, ethertype IPv4 
(0x0800), length 1053: 5.9.97.70.36559 > 180.97.163.74.80: UDP, length 1011

...

I have no idea what could have produced that and apparently nobody managed to enter the system. If I understand it correctly it is outgoing traffic.

Does that log imply that the server was deliberately attacking in another server or could the behavior any other explanation? I spent days in figuring out what could be the problem so I would really appreciate if someone who experienced a similar situation could share his insights here with me.

The firewall should have been active.

kasperd
  • 29,894
  • 16
  • 72
  • 122
user3553828
  • 13
  • 2
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Federico Sierra Jul 18 '15 at 22:27

1 Answers1

0

Your question omitted information about where this packet capture was performed. However judging from the source MAC being registered as Intel Corporate (starting with 68:05:CA) and the destination MAC being registered as Juniper Networks (starting with 78:FE:3D), it sounds like this was captured on the link from your server to the first router.

If that's the case it rules out the possibility that you were simply being blamed for packets being spoofed by somebody elsewhere on the internet.

UDP packets being sent to UDP port 80 doesn't sound like an attack though. I am not aware of any widely deployed service listening on UDP port 80. Attacks are usually targeted at widely deployed services.

However that does make the packets sound suspicious, because it sounds unlikely the destination for those packets is a legitimate service. Also since your server is hosted in Germany it sounds unlikely that your user base would be in China, which makes those packets sound even more suspicious.

What those packets are is a matter of guessing, but it is possible your server has become part of a botnet and 180.97.163.74 could be the control node. This is of course pure speculation. I would expect the full email to contain additional information explaining why they consider this traffic to be a problem.

kasperd
  • 29,894
  • 16
  • 72
  • 122