TS3 server is sending out portscan?!?!
- Thread starter ikfes
- Start date
- Thread starter
- #3
Some background:
I have ExtraVM VPS server with OVH-Game Anti-DDoS. ExtraVM received this message from Hetzner and forwarded it back to me.
The UDP would be protocol. Im running 3.0.13.2 verson
- Apr 26, 2015
- 1,029
- 896
- 216
No fucking way
To be a bit more concise : In my first post I was addressing the IDS from the company sending the notice because connections are not obvious in UDP so teamspeak communications between clients and server "can" appear as a port scan.
You should check thoses ip and your client's ips to see if some match.
If you see absolutely no match, then yes your server may have a problem.
- Thread starter
- #5
Those are all Hetzner ip's my server is "supposedly scanning" looking that that wall of text they provided me.
To my understanding portscans are hard to do with outgoing TCP blocked, so I blocked everything outgoing from ports 1:65535 TCP including 9987 TCP but excluding 22 TCP for SSH.
As for how this happens, the first thing I can imagine is some kind of reflection attack.. Maybe someone scanned my ip-range and picked the TS3 server for his reflection list. Then a DDoS was picked as a portscan at their end.. but this is just speculative..
Anyone has an idea whats the issue? According to the extraVM guy:
So I figured i'd ask from here.
Other than that, the guy is super cool about this.. He never threatened me about shutting down the server or anything of that sort. Definitely a provider worth sticking around for me.
To my understanding portscans are hard to do with outgoing TCP blocked, so I blocked everything outgoing from ports 1:65535 TCP including 9987 TCP but excluding 22 TCP for SSH.
As for how this happens, the first thing I can imagine is some kind of reflection attack.. Maybe someone scanned my ip-range and picked the TS3 server for his reflection list. Then a DDoS was picked as a portscan at their end.. but this is just speculative..
Anyone has an idea whats the issue? According to the extraVM guy:
So I figured i'd ask from here.
Other than that, the guy is super cool about this.. He never threatened me about shutting down the server or anything of that sort. Definitely a provider worth sticking around for me.
Last edited:
- Jan 30, 2016
- 1,334
- 1,146
- 254
Did this nigga just randomly assume you're running a cracked teamspeak license and blaming the "cracked" license for random attacks?
The guy doesn't have any right to threaten you, it's not like you won't go to another provider if he does and do the exact same thing there..
Me right now: http://i.imgur.com/JIl2zIc.gifv
- Thread starter
- #7
No, he forwarded the abuse message to me as it was from Hetzner.
I replied saying that was not me, and asked if he had any ideas.
He replied saying that since it's originating from port 9987 it's likely TS3. On the same message he asked if I used cracked TS3 license and implied that there could be backdoor or malicous code in it as well. He also said there had been previous customers with same symptons and those were running cracked TS3 servers as well.
I'll have to point out that even though it was rather obvious he totally did not say or assume anything before I asked directly his opinion.
I replied saying that was not me, and asked if he had any ideas.
He replied saying that since it's originating from port 9987 it's likely TS3. On the same message he asked if I used cracked TS3 license and implied that there could be backdoor or malicous code in it as well. He also said there had been previous customers with same symptons and those were running cracked TS3 servers as well.
I'll have to point out that even though it was rather obvious he totally did not say or assume anything before I asked directly his opinion.