rssLink RSS for all categories
 
icon_red
icon_green
icon_red
icon_red
icon_blue
icon_green
icon_green
icon_red
icon_red
icon_red
icon_orange
icon_green
icon_green
icon_green
icon_green
icon_blue
icon_green
icon_orange
icon_red
icon_green
icon_red
icon_red
icon_green
icon_red
icon_red
icon_red
icon_red
icon_orange
icon_green
 

FS#465 — FS#4451 — blockage 85.114.129.0/24

Attached to Project— Network
Modernization
Whole Network
CLOSED
100%
For two days, several IP of 85.114.129.0/24 try to exploit
a security vulnerability on the phpmyadmin and then use the servers
of our customers to scan networks.

www-data 6968 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6969 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6971 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6972 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6973 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6974 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6976 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6979 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6981 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7002 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7003 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7004 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7005 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2

mail:~# lsof -n | grep 7933
dd_ssh 7933 www-data cwd DIR 8,1 4096 1207701 /var/www/phpmyadmin
dd_ssh 7933 www-data rtd DIR 8,1 4096 2 /
dd_ssh 7933 www-data txt REG 8,1 1280240 261155 /tmp/dd_ssh
dd_ssh 7933 www-data mem REG 8,1 42504 1583062 /lib/i686/cmov/libnss_files-2.7.so
dd_ssh 7933 www-data mem REG 8,1 38444 1583065 /lib/i686/cmov/libnss_nis-2.7.so
dd_ssh 7933 www-data mem REG 8,1 125536 1583073 /lib/i686/cmov/ld-2.7.so
dd_ssh 7933 www-data mem REG 8,1 1413540 1583067 /lib/i686/cmov/libc-2.7.so
dd_ssh 7933 www-data mem REG 8,1 87800 1583044 /lib/i686/cmov/libnsl-2.7.so
dd_ssh 7933 www-data mem REG 8,1 30436 1583070 /lib/i686/cmov/libnss_compat-2.7.so
dd_ssh 7933 www-data 0r CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 1w CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 2w CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 3u IPv4 328188 UDP 91.121.194.138:35796->85.114.129.49:54510
dd_ssh 7933 www-data 4u IPv4 687706 TCP 91.121.194.138:39248->212.220.41.126:ssh (ESTABLISHED)

We blocked the /24.
Date:  Monday, 30 August 2010, 23:27PM
Reason for closing:  Done
Comment by OVH - Monday, 30 August 2010, 23:07PM

About 200 servers have been put on rescue from 4h00 am in the morning
Following to the scan detection.