0

I have recently started renting a server from Hetzner..

I get continuous emails telling me that my server is performing scans on other servers:

"Your server with the above-mentioned IP address has performed scans on other servers on the Internet.

This has placed a considerable strain on network resources and, as a result, a segment of our network has been adversely affected"

I have run clamscan and rhkit, nothing is found or detected even with updates.

Do you have any advice on how I can solve this issue? Is there a way of installing a firewall???

Nmap shows:

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
31337/tcp open  Elite
Alex Trevylan
  • 101
  • 2
  • Did you check logs for logins that you didn't initiate. Sounds like a bot is logging in and running scans, or someone is manually doing it. Is it a shared server? Do you have programs like nmap installed? – Patrick May 26 '17 at 14:48
  • Hi Patrick, it is just me that uses the server, its not shared. Yes, nmap shows PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite – Alex Trevylan May 26 '17 at 15:00
  • nmap is a program that can be used to initiate port scans. If you don't need it on your server, I would remove it using the built-in package manager. After that, double-check your logs, if you see suspicious activity, you may want to consider the server compromised. – Patrick May 26 '17 at 15:02

2 Answers2

1

Are you running something on port 31337? That looks suspicious.

If your machine is subverted enough to be performing outgoing port scans that you are not initiating, adding a local firewall is not going to help you.

Your best bet is to replace the server entirely. Once a machine is compromised it is nearly impossible to return it to a safe state with any sort of confidence. Make sure when you do so that you've locked down remote access and patched everything.

You might also look at the security guidelines for your OS at https://www.cisecurity.org/cis-benchmarks/ to help secure it.

Jason Martin
  • 4,865
  • 15
  • 24
  • Thanks Jason. I rent my server from Hetzner, and the issue is that I would need to pay installation costs for a new server....is this usual? – Alex Trevylan May 26 '17 at 16:33
  • Do you know how I could block that port? I am not running anything on 31337... – Alex Trevylan May 26 '17 at 16:45
  • @AlexTrevylan I would contact your server provider's support line. Tell them that you suspect that your server is compromised. Hard to imagine, from a marketing perspective, they would want to charge you to fix a security problem on their network. – Jesse Adelman May 26 '17 at 17:45
  • @AlexTrevylan Just to put a fine point on this: https://www.speedguide.net/port.php?port=31337 I'm confident that your server is compromised. You cannot reliably fix an OS that has been compromised from within that OS. (You can't trust the OS to do anything once compromised, including clean itself!) Complete replacement is warranted, and better security approaches need to be employed. – Jesse Adelman May 26 '17 at 17:50
  • You don't need a new server, you just need to reinstall it (from scratch). Hetzner should offer an interface in their customer menu to do this. Beware: Make sure you have a backup of your important data before doing this and don't just restore this backup, else you might reintroduce the backdoor again. – Sven May 26 '17 at 18:14
  • @sven My point was there's no way to reliably fix the server from within the server -- everything it tells you may be a lie. An outside system has to turf it and start over. I'm not familiar with Hetzner but it could be via a new server or a 'reformat' of the existing one. – Jason Martin May 28 '17 at 18:13
0

I concur with @Jason here (but my comment was too long to post as a comment).

It sounds like you have Back Orifice (or at least a modern equivalent of it) installed. This is a remote control program, probably installed as a Trojan, used to to control processes on your server from somewhere else.

It's likely that it is installed on your machine, along with a rootkit to ensure that you can't (easily) remove it, leaving your server completely compromised. That means that just trying to block it with a firewall would be futile; it would probably bypass the firewall anyway.

You should completely reinstall the server (if it's a VM, I would suggest that it be completely deleted and a new one provisioned, just in case it has installed a BIOS rootkit or something similar); it'll be less effort (and probably cheaper) than to try to remove any rootkits properly. When you do get it back, put the firewall up and block everything inbound other than your SSH port (if you're not sure how to do this, ask your hosting company to do it for you initially, then read up about it), apply all patches and then install your applications and data, configuring your firewall only to allow access to your application (which sounds like it's only the web server).

I would also make sure that your web server, application and database are fully patched; it is possible that your machine was compromised via the web application. I would also see about backing up your server so if your server is compromised again, you can restore from a Known Good Backup. (Of course, you'll have to test the backups so that you know they will restore when you need them!)

Pak
  • 901
  • 5
  • 10