0

I have recently started renting a server from Hetzner..

I get continuous emails telling me that my server is performing scans on other servers:

"Your server with the above-mentioned IP address has performed scans on other servers on the Internet.

This has placed a considerable strain on network resources and, as a result, a segment of our network has been adversely affected"

I have run clamscan and rhkit, nothing is found or detected even with updates.

Do you have any advice on how I can solve this issue? Is there a way of installing a firewall???

Nmap shows:

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
31337/tcp open  Elite
Alex Trevylan
  • 101

2 Answers2

1

Are you running something on port 31337? That looks suspicious.

If your machine is subverted enough to be performing outgoing port scans that you are not initiating, adding a local firewall is not going to help you.

Your best bet is to replace the server entirely. Once a machine is compromised it is nearly impossible to return it to a safe state with any sort of confidence. Make sure when you do so that you've locked down remote access and patched everything.

You might also look at the security guidelines for your OS at https://www.cisecurity.org/cis-benchmarks/ to help secure it.

Jason Martin
  • 5,193
0

I concur with @Jason here (but my comment was too long to post as a comment).

It sounds like you have Back Orifice (or at least a modern equivalent of it) installed. This is a remote control program, probably installed as a Trojan, used to to control processes on your server from somewhere else.

It's likely that it is installed on your machine, along with a rootkit to ensure that you can't (easily) remove it, leaving your server completely compromised. That means that just trying to block it with a firewall would be futile; it would probably bypass the firewall anyway.

You should completely reinstall the server (if it's a VM, I would suggest that it be completely deleted and a new one provisioned, just in case it has installed a BIOS rootkit or something similar); it'll be less effort (and probably cheaper) than to try to remove any rootkits properly. When you do get it back, put the firewall up and block everything inbound other than your SSH port (if you're not sure how to do this, ask your hosting company to do it for you initially, then read up about it), apply all patches and then install your applications and data, configuring your firewall only to allow access to your application (which sounds like it's only the web server).

I would also make sure that your web server, application and database are fully patched; it is possible that your machine was compromised via the web application. I would also see about backing up your server so if your server is compromised again, you can restore from a Known Good Backup. (Of course, you'll have to test the backups so that you know they will restore when you need them!)

Pak
  • 919