Server down because of portflood attack by the server

August 5, 2016 259 views
Security Ruby on Rails

Hi Guys,

Kindly help me on these,

I received below messages from the server people,

"your Server/Customer with the IP: x.x.x.x (x.x.x.x) has attacked one of our servers/partners.
The attackers used the method/service: portflood on: Thu, 04 Aug 2016 13:59:17 +0200.
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the on: Thu, 04 Aug 2016 13:59:37 +0200

The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
The Server-Owner configures the number of failed attempts, and the time period they have
to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.

Please check the machine behind the IP x.x.x.x (x.x.x.x) and fix the problem.
To search for AS-Number/IPs that you control, to see if any others have been infected/blocked, please go to:"


1 Answer

Based on this information, chances are that your server is compromised. Without any further information the only course of action I can recommend is to take the server offline and investigate. You will most likely want to re-deploy from a clean backup.

This guide should help you with the next steps.

This tutorial explains the next steps to take after receiving a message from DigitalOcean support that your Droplet is sending an outgoing flood or DDoS. Each server setup is unique, but in many cases, these are the general steps you should follow: - Recover content from the compromised Droplet - Deploy a new Droplet - Secure your new Droplet - Deploy content to new Droplet - Conduct a post-mortem on your old Droplet - Make regular backups
Have another answer? Share your knowledge.