OVHcloud Network Status

Current status
Legend
  • Operational
  • Degraded performance
  • Partial Outage
  • Major Outage
  • Under maintenance
FS # 4451 - 85.114.129.0/24 blockage.
Scheduled Maintenance Report for Network & Infrastructure
Completed
For two days, several IP 85.114.129.0/24 try to exploit
a security fault on the phpmyadmin and then use the servers
of our customers to scan networks.

www-data 6968 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6969 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6971 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6972 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6973 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6974 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6976 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6979 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 6981 0.0 0.2 4264 956 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7002 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7003 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7004 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2
www-data 7005 0.0 0.2 4264 1156 ? S 10:27 0:00 /tmp/dd_ssh 100 85.114.129.49 2

mail:~# lsof -n | grep 7933
dd_ssh 7933 www-data cwd DIR 8,1 4096 1207701 /var/www/phpmyadmin
dd_ssh 7933 www-data rtd DIR 8,1 4096 2 /
dd_ssh 7933 www-data txt REG 8,1 1280240 261155 /tmp/dd_ssh
dd_ssh 7933 www-data mem REG 8,1 42504 1583062 /lib/i686/cmov/libnss_files-2.7.so
dd_ssh 7933 www-data mem REG 8,1 38444 1583065 /lib/i686/cmov/libnss_nis-2.7.so
dd_ssh 7933 www-data mem REG 8,1 125536 1583073 /lib/i686/cmov/ld-2.7.so
dd_ssh 7933 www-data mem REG 8,1 1413540 1583067 /lib/i686/cmov/libc-2.7.so
dd_ssh 7933 www-data mem REG 8,1 87800 1583044 /lib/i686/cmov/libnsl-2.7.so
dd_ssh 7933 www-data mem REG 8,1 30436 1583070 /lib/i686/cmov/libnss_compat-2.7.so
dd_ssh 7933 www-data 0r CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 1w CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 2w CHR 1,3 212 /dev/null
dd_ssh 7933 www-data 3u IPv4 328188 UDP 91.121.194.138:35796->85.114.129.49:54510
dd_ssh 7933 www-data 4u IPv4 687706 TCP 91.121.194.138:39248->212.220.41.126:ssh (ESTABLISHED)

We have blocked the /24.

Update(s):

Date: 2010-08-10 16:07:28 UTC
About 200 servers have been places on rescue from 4:00 am
Following to the scan detection.
Posted Aug 10, 2010 - 16:06 UTC