0

My hosting provider (ovh) recently blocked my VPS due to some attack on the server. When I restored it to the normal mode, I can see indeed something is happening: the access to server is limited, ping results are slow and frequently cannot access server, and when I try any service (ftp, ssh, http...), it is difficult to access it. It seems therefore something like DDoS, but it is probably not exactly a DDoS attack - my provider's staff told me that something must be installed on the server.

I'm not an administrator, but I need to do something... what should I do in such a case?

This is what I got from the provider:

Attack detail : 7Kpps/56Mbps
dateTime                srcIp:srcPort               dstIp:dstPort       protocol    flags   packets bytes       reason 
2020.01.29 14:14:57 CET {IP of the server}:25611    23.252.163.175:80   TCP         SYN     16384   15138816    ATTACK:TCP_SYN 
schroeder
  • 125,553
  • 55
  • 289
  • 326
forsberg
  • 273
  • 3
  • 7
  • 1
    This may help: https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server – Conor Mancone Jan 29 '20 at 13:18
  • Otherwise, I don't think you'll be able to get more specific answers here. The list of options is endless. There are simply too many possibilities, and not enough details. If you aren't sure how to deal with this yourself then you are likely going to have to pay someone to fix it for you. – Conor Mancone Jan 29 '20 at 13:19
  • I believe they blocked your server due to attacks *from* the server. I would backup it and nuke it. From orbit. – ThoriumBR Jan 29 '20 at 13:31
  • Ok, so that's a lot of traffic going from your system out to a single IP. Something on your machine is sending out that traffic from the port 25611. Run commands to see if it is still sending out traffic from that port and work out what it is – schroeder Jan 29 '20 at 21:57

0 Answers0