server usato per attacchi

[valeria75]

Ciao a tutti,

è già il secondo contatto che ricevuto per un attacco che sembra essere
partito dal mio server, qualche animo gentile potrebbe dirmi cosa verificare
sul server...o eventualmente come intervenire??

è già il secondo contatto in 2 settimane (da due provider diversi) quindi
non credo proprio sia un caso

vi allego la mail ricevuta


To whom it may concern;

The remote system XXX.XXX.XXX.XXX was logged attacking our host
69.93.196.213,
this is an automated warning based on admin contacts from the arin.net
whois
database. Please do not ignore this message!

XXX.XXX.XXX.XXX was found to have exceeded acceptable inbound packet
flow,
we have as such banned the remote host from our network. However to
remove the
stress from our carrier providers network, we require your assistance to

further investigate this issue and see that it does not occure again.

Enclosed below are log portions detailing the attack on our host, all
time
stamps are GMT -0400.

Event logs:
Sep 21 13:16:52 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.32 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=9609 DF PROTO=TCP
SPT=1994 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:52 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.33 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=9610 DF PROTO=TCP
SPT=1995 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:52 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.34 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=9611 DF PROTO=TCP
SPT=2002 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:52 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.35 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=9612 DF PROTO=TCP
SPT=2003 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:52 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.36 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=9613 DF PROTO=TCP
SPT=2004 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:55 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.39 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=12178 DF PROTO=TCP
SPT=2007 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:16:55 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.164.37 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=12182 DF PROTO=TCP
SPT=2005 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:13 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.212 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=28390 DF
PROTO=TCP SPT=4791 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:13 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.213 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=28391 DF
PROTO=TCP SPT=4792 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:13 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.221 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=28399 DF
PROTO=TCP SPT=4800 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:16 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.212 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=30912 DF
PROTO=TCP SPT=4791 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:16 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.221 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=30933 DF
PROTO=TCP SPT=4800 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Sep 21 13:17:16 host301 kernel: ** IN_TCP DROP ** IN=eth1 OUT=
MAC=00:30:48:29:d4:11:00:d0:02:76:c8:00:08:00 SRC=XXX.XXX.XXX.XXX
DST=69.93.196.213 LEN=48 TOS=0x04 PREC=0x00 TTL=120 ID=30937 DF
PROTO=TCP SPT=4792 DPT=2100 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402)

[LUCASS]

Ciao da quel poco che ho capitato,il messaggio ti è stato mandato in automatico( this is an automated warning based on admin contacts from the arin.net whois database)e non da qualche gestore,dice che hai superato il numero massimo di "pacchetti" in arrivo e ti hanno bannato l'host remoto della loro rete,per risolvere il problema li devi contatare(tu sai il mittente)per indagare sull'accaduto,in allegato ti mette tutti i dettagli dell'attacco sul loro host subito a quell'ora (GMT -0400)non so che ora sia dato che da quello che so non esiste quell'orario,sarà una bufala?questo non lo so ciao ciao

[valeria75]

Grazie per i suggerimenti

ma a scanso di equivoci... cosa posso controllare sul server per verificare eventuali anomalie?? esiste qualche tool/software per analizzare problemi o buchi?


grazie