Home / server / Questions / 125007
Accepted
Stephen Melrose
Asked: 2010-03-23 08:08:15 +0800 CST

"TCP Sweep" - What is it? How am I causing it?

  • 772

I've just had an email from my hosting company telling me I'm in violation of their Acceptable Use Policy.

They forwarded me an email from another company complaining about something to do with a "TCP sweep of port 22". They included a snippet from their logs,

20:29:43  <MY_SERVER_IP>  0.0.0.0        [TCP-SWEEP]
(total=325,dp=22,min=212.1.191.0,max=212.1.191.255,Mar21-20:26:34,Mar21-20:26:34)
(USI-amsxaid01)

Now, my server knowledge is limited at best, and I've absolutely no idea what this is or what could be causing it.

Any help would be greatly appreciated!

Thank you

linux centos security vps

2 Answers

  1. Best Answer

    It sounds like they're saying that your machine is scanning TCP port 22 on other machines. If you didn't configure your server to do this then someone else did. Your machine has probably been compromised and malicious third-party software has been installed.

    If that's the case, it's time to level the machine, reload the OS, and restore data from a good backup. You should also do some analysis to determine the root cause of the compromise and prevent it from happening in the future (i.e. immediately after you restore it when another zombie comes along and compromises it again).

    As a practical matter, if you don't know how to do these things then you really need to retain the services of someone who does. Getting your server configured with the least amount of software installed, configured in the most secure manner possible (least privilege, no default passwords, unnecessary features / functions disabled, etc), and on a regular security patch installation schedule will do wonders to prevent this kind of thing from happening again.

    • 8

  2. Get a professional to review your server. You likely have to reinstall it - because you got a root kit or something. Normally a server does not sweep. I would take everything I trust offand kill the server with a new install image - faster than checking.

    Then hire some admin to administrate your server. I am sure your hosting provider has managed hosting ovvers where they handle the administration.

    Your statement runs along the line of "The police captured me because I am driving without drivnig licence and basically I have no clue how to drive, what should I do". Running a server on the internet is not exactly trivial and "no idea what this is" is not going to help you here.

    You basically are better off with a managed server (if your hosting provider offers that) than one where you can hang yourself.

    • 1