Vesta Control Panel - Forum

Dear LLC Sirius


I am a IT security manager of the NACF(National Agricultural Cooperative Federation).
I've received a report of unauthorized access from your site as shown below.
　
============================== Timezone of the Log is (GMT+9) ==============================
- Firewall Activity Log
　
TIMESTAMP SRC_IP DEST_IP DEST_PORT PROTOCOL
2014-01-14 18:39 мой ip 61.37.x.1 80 TCP
2014-01-14 18:39 мой ip 61.37.x.2 80 TCP
2014-01-14 18:39 мой ip 61.37.x.3 80 TCP
...
2014-01-14 18:39 мой ip 61.37.x.253 80 TCP
2014-01-14 18:39 мой ip 61.37.x.254 80 TCP
2014-01-14 18:39 мой ip 61.37.x.255 80 TCP
============================================================================================
　
Unfortunately, I may block this source IP address depending on degree of risk in order to defend the illegal access or attack.
I am seriously considering those unauthorized activities regardless of whether it was intentional or not.
Those activities and the possibility of additional illegal attempts can be great threat for our services.
I demand that you take appropriate steps to prevent a recurrence, and give me a feedback about the results of the investigation.
If you are not the correct person to be dealing with this incident, please forward this mail to the appropriate person.
　
Best Regards.
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.

We have detected abuse from the IP address ---------------------. See below for how we obtained your email address in case it is wrong. We would appreciate if you would investigate and take action as appropriate.

** THIS IP ADDRESS IS NULL ROUTED on our entire network, including peering and transit, for a period of time not exceeding 24 hours from the date and time of this email. YOU ARE NOT REQUIRED to reply to this email unless you need more information.

You can see more information on this incident by reviewing the data at http://darknet.superb.net/ip/-------------------- and log lines are given below. Please ask if you require any further information.

You may contact us at [email protected]

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by an automated process.)

The recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information they provide derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email ([email protected]). Information about the Abuse Contact Database can be found here:
http://abusix.com/global-reporting/abuse-contact-db

abusix.com is neither responsible nor liable for the content or accuracy of this message.

Note: Local timezone is -0500 (EST)
/var/log/messages:Jan 13 06:44:03 darknet.superb.net Darknet: -------------------------- exceeded connection attempt threshold to tcp:2086 140 times in a 30 minute period
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.

nabbe wrote:Если ничего не делали фактически на сервере, проще пересоздать новый droplet с новой вестой, предварительно сменив пароль на ssh, после установки сразу настройте iptables или fail2ban