Author Topic: Outgoing attacks to randomIPs "After clean cwp insallation"  (Read 3133 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
Outgoing attacks to randomIPs "After clean cwp insallation"
« on: December 09, 2022, 08:36:56 AM »
1  week ago I do clean installation centos7 with centos web panel but I dont transfer my website and i dont start using this vps...

Vps created and builded with centos7 from Hetzner panel / new vps server with new ip (not blacklisted) maybe not used from long time ago.

- A few hours later i receive abuse warning mail from Hetzner and i see "17 TB traffic outgoing" used by my vps.
 (i never see up 100gb/per month in my life... and this vps not host website.)


- I check server logs, php files, nothing wrong and no one enter my vps via ssh/ftp or cwppanel.

 I do malware scan, clamav scan, rkhunter scan, chrootkit scan nothing found, no virus/exploit detected.

I format and rebuild my vps again but iftop screen same as old, i create new ip different vps and do same installation, same attacks happen again my fresh build vps attacking random ips.

When i power-on attacks start again
hetzner panel:
ssh iftop:

a few hours later
hetzner panel: (breaks=vps stopped)
ssh iftop:

When i create firewall rule from Hetzner panel (incoming 80 8080 53 (deny all other ports)) attacks stop


I think my vps has exploit or virus and i dont do anything but installing cwp...


Could i be missing something, do you have any advice that can help me with this?

 Thank you.

Offline
*
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #1 on: December 09, 2022, 12:20:46 PM »
rebuild and clean installation (again, after i post my first message) iftop iftop -n
« Last Edit: December 09, 2022, 12:22:42 PM by hugaagogo »

Offline
*
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #2 on: December 16, 2022, 08:51:47 PM »
Wow this is interesting!! I will have a look at mine!
https://lorentedford.com games and you should too! @ https://Ltcraft.net

Offline
***
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #3 on: December 17, 2022, 04:44:43 AM »
normal...


what you should worries?
just turn on firewall


but if you want to prevent that
dont be go online
dont use ip4 that already used before by other people
block all incoming request and only allow some




Offline
*
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #4 on: December 17, 2022, 04:58:13 AM »
Attacks are extremely common. The moment your server goes online you can expect to start receiving limitless non-stop attacks. Configure your firewall properly and make sure to keep your software up-to-date and you should be fine. Don't forget to use strong passwords.

Offline
*****
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #5 on: December 19, 2022, 08:28:51 PM »
If this is outgoing traffic, you didn't secure the server.

One of the first things you have to do, is change the SSH port.

Then as soon as CWP starts, turn on cfg/lfd, make sure your static IP is whitelisted to your control client, and then disable all the ports you don't need. (SSH, 2030,2031, etc.)

Complete building the server form there, including mail, etc.

If it still happens, you have a hacker in one of your hosting accounts.
Turn them all off, and turn on 1 by one to narrow it down easily

Offline
***
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #6 on: December 20, 2022, 12:57:19 AM »
Like Starburst says, the first ever thing you do after you login to your SSH for the first time is change SSH port and secure it.
Then, my second step (for my scenario) is to secure the entire server immediately by blocking every INPUT port except my IP.

Then I install CWP.

After CWP is installed. CWP will have wiped everything I did with the server's firewall, so now I have to go into CWP and apply my blocking rules there.


BTW, since you have access to iftables, you can enable it to show which port is being used which will help you get one step closer to this.
and based on that first graph you have included, it seems like a script is getting executed and then the outgoing traffic starts
« Last Edit: December 20, 2022, 01:02:55 AM by iraqiboy90 »

Offline
*
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #7 on: December 21, 2022, 06:41:44 PM »
1  week ago I do clean installation centos7 with centos web panel but I dont transfer my website and i dont start using this vps...

Vps created and builded with centos7 from Hetzner panel / new vps server with new ip (not blacklisted) maybe not used from long time ago.

- A few hours later i receive abuse warning mail from Hetzner and i see "17 TB traffic outgoing" used by my vps.
 (i never see up 100gb/per month in my life... and this vps not host website.)


- I check server logs, php files, nothing wrong and no one enter my vps via ssh/ftp or cwppanel.

 I do malware scan, clamav scan, rkhunter scan, chrootkit scan nothing found, no virus/exploit detected.

I format and rebuild my vps again but iftop screen same as old, i create new ip different vps and do same installation, same attacks happen again my fresh build vps attacking random ips.

When i power-on attacks start again
hetzner panel:
ssh iftop:

a few hours later
hetzner panel: (breaks=vps stopped)
ssh iftop:

When i create firewall rule from Hetzner panel (incoming 80 8080 53 (deny all other ports)) attacks stop


I think my vps has exploit or virus and i dont do anything but installing cwp...


Could i be missing something, do you have any advice that can help me with this?

 Thank you.
I have the same problem. Anybody who know about the solution please share exact answer here.

Offline
*
Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« Reply #8 on: December 22, 2022, 07:53:36 PM »
just close all ports but 80 443 mail ssh cwp vb... from firewall (hosting company firewall)