V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
ZCX
V2EX  ›  问与答

VPS被暂停,请大家帮忙看下客服的答复是什么意思

  •  
  •   ZCX · 2012-05-10 20:41:56 +08:00 · 7640 次点击
    这是一个创建于 4562 天前的主题,其中的信息可能已经有所发展或是发生改变。
    晚上收到邮件说VPS被暂停,Suspension Reason: Hacking
    提交Ticket询问客服,得到了这么一篇答复,不太明白什么意思,请大家帮忙

    your Server with the IP: 199.195.142.253 has attacked one of our server/partner on the service:
    "regbot" on Time: Thu, 10 May 2012 13:14:19 +0200. The time is from the Server of the blocklist-user (so, please check it +-10 minutes, when the time is false).

    The IP was automatically blocked for a while time. To block an IP, it needs most 3 failed Logins (ssh, imap....), one match for "invalid user" or a 5xx-Error-Code (eg.
    Blacklist on mail...)! The Server-Owner can set the limits and not blocklist.de!


    Please check the machine behind the IP 199.195.142.253 (199.195.142.253) and fix the problem.
    Search for AS-Number/IPs from you, look at https://www.blocklist.de/en/search.html?as=17139

    You can parse this Mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
    You found more Information about X-Arf under http://www.x-arf.org/specification.html

    This mail will be sent again after one day if more attacks are recognized.
    In the attachment of this mail you can find the original protocols of our systems.

    To pause this message for one week, you can insert the IP and E-Mailaddress to our Blocklist.
    If more attacks of your network are recognized after the pause of seven days, the block will
    be canceled and you will get new reports.

    https://www.blocklist.de/en/[email protected]

    We found your address in the Whois-Data from the IP under the SearchString "abuse-mailbox"
    Answer us to rewrite the address (to abuse-quiet or a special address) for all upcoming reports.

    He has registered automatically on a honeypot Wiki/Forum/Blog-System....
    At the site there is a notice that all postings and registrations will be reported.
    He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused:
    http://blog.blocklist.de/2011/03/14/erlauterung-der-einzelnen-dienste-badbots-apacheddos-postfix/#regbots

    If the IP a Tor-Server: http://blog.blocklist.de/tor-server-owner/



    Kind Regards,

    Joe Selly
    QuickWeb Admin Staff

    QuickWeb Hosting Solutions
    VPS HOSTING IN 12 CITIES WORLDWIDE!
    Follow us on Twitter: http://twitter.com/quickwebhosting

    Private and Confidential
    This electronic ticket/message and any files transmitted with it are intended solely to be viewed by YOU or your representative and may contain information that is confidential or privileged
    11 条回复    1970-01-01 08:00:00 +08:00
    lfzyx
        1
    lfzyx  
       2012-05-10 21:05:13 +08:00
    垃圾邮件?
    ZCX
        2
    ZCX  
    OP
       2012-05-10 21:05:45 +08:00
    @lfzyx 我看了半天也没明白是什么意思
    vaan
        3
    vaan  
       2012-05-10 21:13:57 +08:00
    简单翻一下:

    你拥有的IP地址为“99.195.142.253”的VPS,在2012年5月10日下午1点14分(时间上可能有10分钟上下的误差,这个时间由blocklist服务器提供),攻击了我们的regbot节点。

    这个IP已经被自动封锁了一段时间。而三次登陆ssh、imap、或者其他什么的失败,比如无效用户或者5XX错误等等,都会封锁IP。而这些设置,都可以由blocklist服务器设定。

    请检查你的VPS并解决这个问题,如果你想查看AS,请访问https://www.blocklist.de/en/search.html?as=17139

    你能用X-ARF工具(地址:http://www.x-arf.org/tools.html )分析这份邮件,更多信息,请看:http://www.x-arf.org/specification.html

    如果一天后出现更多的攻击,那么您会再收到这份邮件,附件里有我们系统的协议。

    想在一周内不收到这邮件,你可以把IP地址和邮箱提交给我们的Blocklist服务器。如果一周内还有攻击,那么这个封锁将会取消并再次发给你新的报告邮件。

    我们发现你的VPS在发垃圾邮件…

    也就是说,你的VPS攻击了(可能是群发垃圾邮件)他们的其他节点,进后台面板看看流量有没有异常,估计是root被破解被人用发垃圾邮件了…
    eerie
        4
    eerie  
       2012-05-10 21:14:37 +08:00
    就地一段有用吧
    你都跑了些啥程序啊
    可不可能被当作跳板了
    binux
        5
    binux  
       2012-05-10 21:21:05 +08:00
    我收过一次,因为开了给squid,deny all没有设置对,被当作跳板了。

    我收到这个邮件的马上改好了,立即回复了一份邮件,说明了原因,并且保证以后不会再有这样的问题,就没事了。
    虽然我不是一上来就被封的,看到记录似乎有被重启(squid被我监控拉起了。。)。你之前是否还有收到过类似邮件但没有处理?
    ZCX
        6
    ZCX  
    OP
       2012-05-10 21:22:46 +08:00
    @vaan 我现在都已经无法登录SSH和后台控制面板了
    ZCX
        7
    ZCX  
    OP
       2012-05-10 21:23:30 +08:00
    @eerie 就安装了LNMP一键包,还没跑网站,PPTP+OPENVPN
    ZCX
        8
    ZCX  
    OP
       2012-05-10 21:23:57 +08:00
    @binux 今天第一次收到,直接被封,崩溃...
    vaan
        9
    vaan  
       2012-05-10 21:28:48 +08:00
    @ZCX 那就发tk吧…
    ZCX
        10
    ZCX  
    OP
       2012-05-10 21:29:53 +08:00
    @vaan 收到这条超长的TK以后,就再也没有回复了
    vaan
        11
    vaan  
       2012-05-10 21:45:14 +08:00
    @ZCX 那就坐等其他人解答了要……我在自己的节点上基本是投诉其他人,部分网站太擦边球…
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1063 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 19:30 · PVG 03:30 · LAX 11:30 · JFK 14:30
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.