Overclock.net banner

1 - 4 of 4 Posts

·
Registered
Joined
·
579 Posts
Discussion Starter #1
Hello All,

So I have a very odd event today happen, which I am not sure if it is a result of me just being ridiculous and freaking out, or if my server was legitamently hacked.

This involves the server in my Sig that I built about three years ago. Now I have not used this server or logged into for about 6 months. In fact, last time I tried to log into it was not giving me the post beeps, so I thought I might have killed it folding.

Furthermore, I have lately been realizing that my wifi has been crashing regularly. I figured it might just be due to my old D-Link DIR-655, but I figured I would look into.

Below is how the events unfolded:
  • Logged into my router noticed there was a ton of failed TCP requests. Now I know bots can do this over the web, so I am not sure if it is just a result of that. However, this peaked my interest. I remembered that I might have left Port forwarding open from my college days to my server. Sure enough port 4000 was open directly to my server.
  • Now I have not logged into this server in some time, nor have I even looked it. It just sits in my closet with power and internet. I thought it was dead and not on. Well I walked over to the closet, Sure enough it was on, which was very odd because I am pretty sure I turned it off before. Nonetheless, I turned it off and then on to see if it would post. Odd, it did post.
  • While it was booting up I decided to hook up my keyboard and my gaming mouse. When I got to the password screen I was having real difficulty trying to get in. It had been several months so I can't remember what it was. I tried what I thought was the right password several times. Finally it worked.
This is when it gets weird:
  1. The first thing that popped up was splash top, which was odd because I do not remember installing splash top on this server. I became immediately suspicious. I tried opening up the program to see if it was my userid or not, but it was not responding
  2. Then My mouse was very unresponsive and it felt like I fighting it. Now this is where I could be being paranoid. I could swear someone was trying to get onto the desktop to to right-click on the garbage bin and making movements I was not. I let go of the mouse and immediately started pulling ethernet cords out, while I was doing this the server then restarted. I quickly unplugged everything from the ethernet and tried plugging in my regular mouse. This seemed to work better. I looked around a little bit, but it seemed to be very slow and unresponsive
  3. It is now sitting in my closet on, but disconnected from the internet
Some additional facts:
  • The server was connected to my network via both IPMI and normally. I do not know if there is a password on the IPMI.
  • The Minecraft VM that was in hyper-v was running. I am pretty sure I had this turned off. I believe this was the VM that it was forwarding to.
  • I am pretty sure any software on that computer has not been updated since 2013.
So tell me, am I being paranoid?

Below is logs from my router:

Code:

Code:
[INFO]       Mon Mar 21 13:38:11 2016        Stored configuration to non-volatile memory
[INFO]  Mon Mar 21 13:38:10 2016        guest: Unlock AP setup
[INFO]  Mon Mar 21 13:38:10 2016        primary: Unlock AP setup
[INFO]  Mon Mar 21 12:50:37 2016        Log viewed by IP address 192.168.0.195
[INFO]  Mon Mar 21 12:50:34 2016        Allowed configuration authentication by IP address 192.168.0.195
[INFO]  Mon Mar 21 12:50:18 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:17 2016        Above message repeated 1 times
[INFO]  Mon Mar 21 12:50:17 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:16 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:16 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:15 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:15 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:14 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:14 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:13 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:13 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:12 2016        Above message repeated 1 times
[INFO]  Mon Mar 21 12:49:34 2016        Blocked incoming UDP packet from 97.104.21.142:53411 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:45:36 2016        Blocked incoming ICMP error message (ICMP type 3) from 37.241.54.231 to 73.35.196.104 as there is no UDP session active between 73.35.196.104:21680 and 37.241.54.231:53
[INFO]  Mon Mar 21 12:45:02 2016        Blocked incoming UDP packet from 80.141.222.6:6889 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:43:46 2016        Blocked incoming TCP connection request from 58.140.211.10:27170 to 73.35.196.104:23
[INFO]  Mon Mar 21 12:43:39 2016        Blocked incoming TCP connection request from 58.140.211.10:45610 to 73.35.196.104:23
[INFO]  Mon Mar 21 12:43:36 2016        Above message repeated 1 times
[INFO]  Mon Mar 21 12:39:01 2016        Blocked incoming UDP packet from 217.121.141.24:20901 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:37:20 2016        Blocked incoming UDP packet from 174.65.17.12:16985 to 73.35.196.104:32807
[INFO]  Mon Mar 21 12:36:34 2016        Above message repeated 5 times
[INFO]  Mon Mar 21 12:36:10 2016        Blocked incoming TCP connection request from 51.255.2.226:51920 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:35:55 2016        Above message repeated 4 times
[INFO]  Mon Mar 21 12:35:04 2016        Blocked incoming TCP connection request from 93.174.93.94:58696 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:34:54 2016        Blocked incoming UDP packet from 188.2.243.72:12087 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:32:41 2016        Blocked incoming UDP packet from 97.104.21.142:53411 to 73.35.196.104:46873
[INFO]  Mon Mar 21 12:32:03 2016        Administrator logout
[INFO]  Mon Mar 21 12:29:08 2016        Blocked incoming TCP packet from 198.50.253.141:80 to 73.35.196.104:40480 as RST received but there is no active connection
[INFO]  Mon Mar 21 12:26:49 2016        Allowed configuration authentication by IP address 192.168.0.195
[INFO]  Mon Mar 21 12:24:56 2016        Blocked incoming TCP connection request from 42.62.49.167:47867 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:22:11 2016        Blocked incoming ICMP error message (ICMP type 3) from 88.83.32.99 to 73.35.196.104 as there is no UDP session active between 73.35.196.104:21680 and 94.198.67.49:53
[INFO]  Mon Mar 21 12:21:48 2016        Blocked incoming TCP connection request from 180.97.106.161:43650 to 73.35.196.104:1723
[INFO]  Mon Mar 21 12:19:22 2016        Blocked incoming TCP packet from 17.110.228.207:443 to 73.35.196.104:61979 as RST:ACK received but there is no active connection
[INFO]  Mon Mar 21 12:18:56 2016        Blocked incoming UDP packet from 217.121.141.24:20901 to 73.35.196.104:46873
 

·
Registered
Joined
·
2,228 Posts
If you only had port 4000 forwarded, and nothing was listening on that port on the sevrer tis porbley paranoid, you will allwyas see "junk" in logs as it happens all the time
smile.gif
 

·
Premium Member
Joined
·
5,821 Posts
Code:

Code:
[INFO]  Mon Mar 21 12:50:17 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:16 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:16 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:15 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:15 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:14 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:14 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
[INFO]  Mon Mar 21 12:50:13 2016        Blocked incoming TCP connection request from 142.4.206.228:52736 to 73.35.196.104:443
[INFO]  Mon Mar 21 12:50:13 2016        Blocked incoming TCP connection request from 142.4.206.228:52730 to 73.35.196.104:80
This part is just some random host out there (probably a bot) trying to see if you have a web server running at your IP address. Port 80 is for HTTP unsecured/unecrypted traffic like OCN while 443 is for HTTPS traffic.

Everything looks fine from these logs. I think you're okay
 

·
Registered
Joined
·
67 Posts
If it's on the internet then its being scanned.

Might be worth checking if wake on lan has been enabled on the server. Could explain it turning on.
 
1 - 4 of 4 Posts
Top