Strange activity with tcpdump

efesto85 · July 16, 2024, 3:19pm

Hello everyone
while I was at home I heard my server’s hard drive making a lot of noise. Which was strange since I wasn’t doing anything in particular. I got suspicious and ran a network packet scan with tcpdump and this is the result

16:37:42.492227 IP mywebsite.xxx.xx.https > ec2-15-184-39-8.me-south-1.compute.amazonaws.com.27821: Flags [S.], seq 3852189660, ack 1478983093, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:37:42.492234 IP mywebsite.xxx.xx.http > ec2-15-184-39-8.me-south-1.compute.amazonaws.com.2419: Flags [S.], seq 120855570, ack 3587436861, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:37:42.540326 IP mywebsite.xxx.xx.22 > 192.168.178.20.50230: Flags [P.], seq 570992:572012, ack 4897, win 501, options [nop,nop,TS val 269969695 ecr 3127106702], length 1020
16:37:42.543022 IP ec2-15-184-39-8.me-south-1.compute.amazonaws.com.5160 > mywebsite.xxx.xx.https: Flags [S], seq 358418978, win 29200, options [mss 1430,nop,wscale 5,nop,nop,sackOK], length 0
16:37:42.543081 IP mywebsite.xxx.xx.https > ec2-15-184-39-8.me-south-1.compute.amazonaws.com.5160: Flags [S.], seq 3747155832, ack 358418979, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

I immediately changed the root password and rebooted the system. I then ran a new scan with tcpdum edi of which I report an excerpt here

16:49:40.500382 IP mywebsite.xxx.xx.http > 45.76.44.255.vultrusercontent.com.26468: Flags [S.], seq 2501052074, ack 3678965945, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:49:40.500397 IP mywebsite.xxx.xx.http > 45.76.44.255.vultrusercontent.com.29565: Flags [S.], seq 2689709764, ack 4243606607, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:49:40.564273 IP mywebsite.xxx.xx.http > 45.76.44.255.vultrusercontent.com.34111: Flags [S.], seq 693501140, ack 731262637, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:49:40.580649 IP mywebsite.xxx.xx.22 > mymac.fritz.box.50588: Flags [P.], seq 185552:186540, ack 145, win 501, options [nop,nop,TS val 2432297762 ecr 2797717179], length 988

I do not understand why it is sending these packets to these addresses, I have no particular software installed other than those within the yunohost tore. Is it possible that I have suffered an intrusion? Or are these packets being sent normally? I have tried starting a second server (which I have backup) and these packets are not being se

Thank you

efesto85 · July 19, 2024, 3:58pm

Is there no one who can help or reassure me?

penguin283 · July 19, 2024, 4:48pm

View SSH logs using grep:

sudo grep ‘sshd’ /var/log/auth.log

This command filters out SSH-related log entries. You can also use:

sudo grep ‘Failed password’ /var/log/auth.log

This command shows failed login attempts.

system · August 18, 2024, 4:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.