Created
May 23, 2016 07:16
-
-
Save minicuper/65517bc35718b954e432788abc73a17d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello | |
| After resetting the password, you will login through the console, to further investigate. | |
| Due to the outbound flood attacks from the droplet, the result of a compromise, we can not allow it back online. | |
| We have seen this lots of times before, your droplet is compromised. It's sending out flood attacks that are in line with that. | |
| We do not see any other alerts from the other droplets in this cluster. Only this one is generating FLOOD ALERTS, like we showed you before. Directly from our switches! | |
| With some packet analysis, this is what your droplet is sending-> | |
| Internet Protocol Version 4, Src: 159.203.164.193 (159.203.164.193), Dst: 114.114.114.114 (114.114.114.114) | |
| Version: 4 | |
| Header length: 20 bytes | |
| Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) | |
| 0000 00.. = Differentiated Services Codepoint: Default (0x00) | |
| .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) | |
| Total Length: 62 | |
| Identification: 0x2374 (9076) | |
| Flags: 0x02 (Don't Fragment) | |
| 0... .... = Reserved bit: Not set | |
| .1.. .... = Don't fragment: Set | |
| ..0. .... = More fragments: Not set | |
| Fragment offset: 0 | |
| Time to live: 63 | |
| Protocol: UDP (17) | |
| Header checksum: 0xeec9 [correct] | |
| [Good: True] | |
| [Bad: False] | |
| Source: 159.203.164.193 (159.203.164.193) | |
| Destination: 114.114.114.114 (114.114.114.114) | |
| [Source GeoIP: Unknown] | |
| [Destination GeoIP: Unknown] | |
| User Datagram Protocol, Src Port: 48440 (48440), Dst Port: 53 (53) | |
| Source port: 48440 (48440) | |
| Destination port: 53 (53) | |
| Length: 42 | |
| Checksum: 0x29ad [validation disabled] | |
| [Good Checksum: False] | |
| [Bad Checksum: False] | |
| Domain Name System (query) | |
| Transaction ID: 0x9a73 | |
| Flags: 0x0100 Standard query | |
| 0... .... .... .... = Response: Message is a query | |
| .000 0... .... .... = Opcode: Standard query (0) | |
| .... ..0. .... .... = Truncated: Message is not truncated | |
| .... ...1 .... .... = Recursion desired: Do query recursively | |
| .... .... .0.. .... = Z: reserved (0) | |
| .... .... ...0 .... = Non-authenticated data: Unacceptable | |
| Questions: 1 | |
| Answer RRs: 0 | |
| Authority RRs: 0 | |
| Additional RRs: 0 | |
| Queries | |
| soloco.f3322.net: type A, class IN | |
| Name: soloco.f3322.net | |
| Type: A (Host address) | |
| Class: IN (0x0001) | |
| 0000 00 00 5e 00 01 ca 04 01 bb cd 24 01 08 00 45 00 ..^.......$...E. | |
| 0010 00 3e 23 74 40 00 3f 11 ee c9 9f cb a4 c1 72 72 .>#t@.?.......rr | |
| 0020 72 72 bd 38 00 35 00 2a 29 ad 9a 73 01 00 00 01 rr.8.5.*)..s.... | |
| 0030 00 00 00 00 00 00 06 73 6f 6c 6f 63 6f 05 66 33 .......soloco.f3 | |
| 0040 33 32 32 03 6e 65 74 00 00 01 00 01 322.net..... | |
| .......soloco.f3 | |
| 322.net..... | |
| AND this | |
| Source: 159.203.164.193 (159.203.164.193) | |
| Destination: 183.131.69.13 (183.131.69.13) | |
| [Source GeoIP: Unknown] | |
| [Destination GeoIP: Unknown] | |
| Transmission Control Protocol, Src Port: 36403 (36403), Dst Port: 8000 (8000), Seq: 0, Len: 845 | |
| Source port: 36403 (36403) | |
| Destination port: 8000 (8000) | |
| [Stream index: 17] | |
| Sequence number: 0 (relative sequence number) | |
| [Next sequence number: 845 (relative sequence number)] | |
| Header length: 20 bytes | |
| Flags: 0x002 (SYN) | |
| 000. .... .... = Reserved: Not set | |
| ...0 .... .... = Nonce: Not set | |
| .... 0... .... = Congestion Window Reduced (CWR): Not set | |
| .... .0.. .... = ECN-Echo: Not set | |
| .... ..0. .... = Urgent: Not set | |
| .... ...0 .... = Acknowledgment: Not set | |
| .... .... 0... = Push: Not set | |
| .... .... .0.. = Reset: Not set | |
| .... .... ..1. = Syn: Set | |
| [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 8000] | |
| [Message: Connection establish request (SYN): server port 8000] | |
| [Severity level: Chat] | |
| [Group: Sequence] | |
| .... .... ...0 = Fin: Not set | |
| Window size value: 61200 | |
| [Calculated window size: 61200] | |
| Checksum: 0x54ae [validation disabled] | |
| [Good Checksum: False] | |
| [Bad Checksum: False] | |
| [SEQ/ACK analysis] | |
| [Bytes in flight: 846] | |
| Data (845 bytes) | |
| Data: 000000000000000000000000000000000000000000000000... | |
| [Length: 845] | |
| 0000 00 00 5e 00 01 ca 04 01 bb cd 24 01 08 00 45 00 ..^.......$...E. | |
| 0010 03 75 58 66 40 00 fc 06 e1 fe 9f cb a4 c1 b7 83 .uXf@........... | |
| 0020 45 0d 8e 33 1f 40 13 ed 66 58 00 00 00 00 50 02 [email protected]. | |
| 0030 ef 10 54 ae 00 00 00 00 00 00 00 00 00 00 00 00 ..T............. | |
| 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
| 0380 00 00 00 ... | |
| Basically flood attacks towards hosts in china. | |
| Now, these are actual packet dumps we did from your droplet. | |
| If you can help us better understand why your droplet is sending out very heavily padded SYN packets at a rate of 100mb/sec to China ([ 183.131.69.13 ] CHINANET-BACKBONE No.31,Jin-rong Street, CN) perhaps then we can understand better. | |
| However, all signs point to this being a compromise of your system. There are no doubts from our side. | |
| Let us know if you have any other questions or require any further assistance | |
| Best Regards | |
| GD | |
| DigitalOcean Trust & Safety Specialist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment