0

I own a small VPS hosted by Hetzner on which i run a small Minecraft game server. The VPS is running on Ubuntu, and the only software i installed are Java JRE and the required software to run a Minecraft game server (+ additional plugins).

I ran a tcpdump over night and here is the result: https://drive.google.com/open?id=15hYd2QzREAW_d8KodLyVhUVleu1OxCYz

Could anyone help me read it?

Is it regular?

First of july i received a mail from abuse@hetzner.com (my host) stating that Columbia University sent them an automated notice regarding unwanted traffic coming from my ip address.

Here is the original Columbia University message: https://pastebin.com/3kMy98kw

But it also said:

It is possible that this alert is the result of a reflection attack against your network with a spoofed origin matching Columbia University's network. Details are provided below. Please take all necessary steps to mitigate such attacks, or ignore this notice if this traffic is spoofed.

So could that be just a random occourrence? Or is my server hacked?

Leonardo Fiori
  • 1
  • 1
    If you are running no software that normally does this kind of activity, then yes, your server has been compromised. Also note: Hobby (minecraft) servers are [off-topic](http://serverfault.com/help/on-topic) here. – Sven Jul 06 '19 at 10:50
  • @Sven could not find more appropriate forums.. However, could you help me read that dump? Is the traffic going or coming on port 445? Is there a way to find out which process is causing it? – Leonardo Fiori Jul 06 '19 at 12:49
  • Destroy this host, rebuild it with an clean updated firewalled operating system, and restore backups. If you need to know the specifics of what happened in your environment, hire a security consultant. – John Mahowald Jul 06 '19 at 15:30

0 Answers0