salem
March 12th, 2017, 21:04
با سلام و خسته نباشید خدمت اساتید و دوستان عزیز یدونه وی پی اس لینوکسی داریم هر روز abuse میاد اگر حل نکنیم وی پی اس قطع خواهد شد . چیکار کنم تا مشکل حل بشه ؟
Details:
An IP address () under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
It is likely that this host is one of the following, from the responses that others have sent us:
- A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisori...ulnerabilities (http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities))
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014...dvisory-warns/ (http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/))
- A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs...en-backdoor/); (http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/%29;) or one running an old AirOS version with its exposed administrative interface
- A compromised Xerox-branded device
- Some other compromised standalone device
- A compromised webhost, such as one running a vulnerable version of WordPress, phpMyAdmin, or zPanel
- A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit
- A server with an insecure password that was brute-forced, such as through SSH or RDP
The actual attack consisted of packets with specific distinguishing characteristics. This is example traffic from the IP address, as put out by the "tcpdump" utility and captured by our router during the attack.
Date/timestamps (at the very left) are UTC.
2017-03-07 16:34:46.975091 IP (tos 0x28, ttl 50, id 64017, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa11 4000 3211 34dd 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975105 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975140 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975146 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975726 IP (tos 0x28, ttl 50, id 64020, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa14 4000 3211 34da 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975728 IP (tos 0x28, ttl 50, id 64020, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa14 4000 3211 34da 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
Details:
An IP address () under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.
It is likely that this host is one of the following, from the responses that others have sent us:
- A compromised DVR, such as a "Hikvision" brand device (ref: http://www.coresecurity.com/advisori...ulnerabilities (http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities))
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014...dvisory-warns/ (http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/))
- A compromised router, such as one made by China Telecom which still allows a default admin username and password; one by Netis, with its built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs...en-backdoor/); (http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/%29;) or one running an old AirOS version with its exposed administrative interface
- A compromised Xerox-branded device
- Some other compromised standalone device
- A compromised webhost, such as one running a vulnerable version of WordPress, phpMyAdmin, or zPanel
- A compromised client, such as one running a vulnerable web browser susceptible to a Java exploit
- A server with an insecure password that was brute-forced, such as through SSH or RDP
The actual attack consisted of packets with specific distinguishing characteristics. This is example traffic from the IP address, as put out by the "tcpdump" utility and captured by our router during the attack.
Date/timestamps (at the very left) are UTC.
2017-03-07 16:34:46.975091 IP (tos 0x28, ttl 50, id 64017, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa11 4000 3211 34dd 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975105 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975140 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975146 IP (tos 0x28, ttl 50, id 64019, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa13 4000 3211 34db 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975726 IP (tos 0x28, ttl 50, id 64020, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa14 4000 3211 34da 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU
2017-03-07 16:34:46.975728 IP (tos 0x28, ttl 50, id 64020, offset 0, flags [DF], proto UDP (17), length 44)
.59704 > 74.91.113.x.53: 19535 updateA [b2&3=0x4c44] [19288a] [18755q] [17478n] [21827au][|domain]
0x0000: 4528 002c fa14 4000 3211 34da 5266 0b77 E(.,..@.2.4.Rf.w
0x0010: 4a5b 7172 e938 0035 0018 9b3e 4c4f 4c44 J[qr.8.5...>LOLD
0x0020: 4943 4b58 4446 5543 4b59 4f55 ICKXD****YOU