-3

I have dedicated server for my personal projects on Hetzner and today was the second time I got email from them informing that they detected portscan coming from server (first time was in January). At the time I've read the email and logged in to the server it looked perfectly ok without any weird activity going on. I did some rootkit detection scans but with no luck.

What are my next steps here? Should I just ignore it, do clean system install or sth else?

Adrian Serafin
  • 115
  • 1
  • 3
  • let me guess, you have web apps running there? web server without any WAF (mod_security or similar), I'd say someone hacked into one or more websites hosted on the system and used that user access to start attacks against other systems. For starters I'd scan `DocumentRoot` directories with `maldet` and see where that leads... – Hrvoje Špoljar Mar 03 '16 at 09:25
  • 1
    Nuke it from orbit and rebuild from known good backups. It's the only way to be sure. – user9517 Mar 03 '16 at 15:23
  • Port scan are common on public facing server.I would suggest to first analyse the auth.log and check if any unauthorized attempt is successful or not and any other possible signs of compromise.Secondly harden your server by allowing only those ports which are required.Read the link which is mentioned by Iain. – user2632528 Mar 03 '16 at 18:26

1 Answers1

2

Definitely don't ignore it!

Reinstall it immediately, if that's an option, or make completely sure you fix the problem.

Reinstalling is definitely the safer choice!

If reinstalling is an option, consider (depending on diskspace etc) if you can keep your data on a separate partition and just reset the system. Later dont(!) just restart your services, but make sure they aren't compromised.

If that's not an option, try to fix it good! Try to figure out if there are any processes running which you don't intend to run, check the logs, maybe you can get more details from the Hetzner admins about what to look for.

BeerSerc
  • 489
  • 3
  • 6