Help, server has been compromised and i have no idea what to do

[blackhole883]

i am running

Centos 7.1 x64

the only programs i have running are a TS3 server (as root, very likely it may be this but i dont know how to fix it, but i couldn't get it to work any other way)

and a custom minecraft FTB server that i only put on 4 or so days ago (almost positive this is unrelated as the reports in tickets from NFO admins went as far back as " 2015-12-10 ")


so far i have changed the VNC password, preformed a complete OS re-install, fully scanned my own computer with multiple Anti virus programs im quite sure my own machine is secure but im at my wits end here, i honestly just dont know what to do

can anyone please help me?

[soja]

Your server has been compromised how? How do you know it is compromised?

[blackhole883]

I can only assume, i cant find anything wrong, any abnormal programs (not that i would know what was normal in the first place)

but the NFO admins have forwarded multiple 'Abuse Reports' about the ip address my VPS uses

We received an important abuse complaint about your service and have copied
the full complaint below.


> ---------- Forwarded message ----------
> From: Webiron Abuse Team <<removed>@abuse-reporting.webiron.com>
> Subject: Batched Abuse Report - Web and network reports for IP 70.42.74.92
> Date: Tue, 24 Nov 2015 14:51:06 -0700
> To: Abuse Department <abuse@internap.com>
>
> --===============3317845586905897044==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> Hello!
>
>
> === You are receiving this e-mail in regard to abuse issues against our
> clients coming from the host at IP 70.42.74.92. ===
>
>
> --- Automated Message - To get a response or report issues with the reports,
> please see the contact info below. ---
>
> --- Report details are at the bottom of the e-mail. For web attacks see the
> "bot" links for more details about the attack. ----
>
>
> Webiron is a security service and this e-mail is being sent on behalf of our
> customers. We do not control how our clients configure their protection and
> as a result do not control how blocks and bans are generated.
>
>
> We are committed to providing useful information on abuse issues on behalf of
> our clients to help stop issues related to issues that seem to originate
> from within your network.
>
>
> We also understand and value your time and have built in queues to ensure
> these e-mails are informative and not overwhelming in volume.
>
>
> If you are responsible for abuse issues however the IP being reported does
> not belong to you, please open a ticket or email us to let us know of the
> error and we'll correct it as soon as possible. However if you're not and
> this reached you in error, please reply with the word REMOVE (in all caps) in
> the subject line and you will be placed on our "do not e-mail" list for
> abuse issues.
>
>
> Please note due to he retaliatory nature of attackers and the abundance of
> internet abuse havens out there, we do not give out the exact IP of our
> clients. If you require further assistance we will be more than happy to to
> work with you. Just open a ticket our contact us with the details below.
>
>
> If you run a VPN, anonymizer service (like a TOR exit or proxy node), or
> business intelligence not contracted with the site owner, then we request
> that the abused range be blocked from your service. If it is being blocked,
> then it's at the right and choice of our clients to refuse access.
>
>
> Tor exit operators and/or upstream provides please see our guide on blocking
> traffic from exit nodes here:
> https://www.webiron.com/supporthome/vie ... nodes.html
>
>
> A little about our service. Our bans are very short (30s seconds to a few
> minutes depending on client configs) and removed automatically once abuse has
> stopped. We are a server protection solution designed to help
> administrators, enterprises and hosting services secure their end points and
> reduce SOC resources.
>
>
> Please feel free to sent us your comments or responses. If you are inquiring
> for more information you must disclosed the offending IP. to contact us via
> e-mail, use <support@webiron.com>, however if you require a ticket tracked
> response you can open one at https://www.webiron.com/abuse-soc-issues.html
>
>
> To be removed entirely from future reports reply to this e-mail with REMOVE
> (in all caps) in the subject line. Please note this will only stop the e-mail
> to the address the e-mail was sent to and public notices will remain as your
> abuse address will be listed on our abuse department blacklist. Blacklisted
> departments are listed online and flagged in our abuse Twitter notices. See:
> https://twitter.com/WebironBots
>
>
>
>
>
> ====== Tor: Please note as the abuse from Tor has gotten out of hand, we do
> not give free passes to abuse coming from Tor exits. See the leader board
> linked below for more details on the issue. ======
>
>
> --- We now report unresolved abuse after 3 days to Twitter @WebironBots ---
>
>
> --- View your public listings ---
>
>
> -- IP Address Listings --
>
> Abuse Feed: https://www.webiron.com/abuse_feed/70.42.74.92
>
> IP Lookup(Lists bots and other activity):
> https://www.webiron.com/iplookup/70.42.74.92
>
>
> -- Your Network/Department Listings --
>
> Top 100 Unresolved Abuse Leaderboard:
> https://www.webiron.com/abuse_leaderboard/
>
> Your Abuse E-Mail Listings:
> https://www.webiron.com/abuse_feed/abuse@internap.com
>
>
> --- Blacklist Warning ---
>
> Failure to handle abuse issues will increase your chances of ending up on our
> public Real-Time Abuse Response Blacklist (WARB)
>
>
> For further details on WARB see: https://www.webiron.com/warb.html
>
>
> ---------------------------------------------------
>
>
> *** Note *** - All times are in America/Phoenix (-07:00) as denoted in the
> time stamp as '-07:00' on the end.
>
>
> ---------------------------------------------------
>
>
>
> Unwanted and or Abusive Network Traffic:
>
> Offending/Source IP: 70.42.74.92
>
> - Time: 2015-11-24 12:25:00-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 12:28:38-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 12:32:28-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 12:38:55-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 12:48:50-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 13:19:08-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
> - Time: 2015-11-24 14:51:03-07:00, Abused Range: 96.47.225.0/24, Port: 5925,
> Service: Unknown, Protocol: TCP, Connection Count: 3
>
>
> --===============3317845586905897044==

[soja]

Use the contact info provided to get more detail if it is available. The info given in the bottom of that message doesn't mean much I don't think.

[blackhole883]

This was one of three of these reports, so something is obviously wrong i just have no idea how to fix it

[soja]

A third party company is providing the abuse reports. Without knowing the exact traffic that was captured I don't know if anyone can tell you exactly what to look for.

[soja]

Have you received any abuse reports since your reinstall? The only hosts in that IP range with port 5925 open are VNC servers it looks like.

[TacTicToe]

Wipe the entire VDS and re-install the OS. Whatever is on there would be gone. Be careful with what you put on there in the future and whom you give access to.

Did you leave FTP service running on the server?

[Edge100x]

That's a low-quality abuse report because it doesn't provide an actual traffic capture, tell us the destination IP address, or tell us both ports (it only gives one). It is very possible that they were seeing spoofed or reflected traffic. I recommend that you follow up with the party complaining and request better information.

[blackhole883]

A third party company is providing the abuse reports. Without knowing the exact traffic that was captured I don't know if anyone can tell you exactly what to look for.

Is there any logs i can provide? anything from the machine? maybe something i could install that would give me information?

Have you received any abuse reports since your reinstall? The only hosts in that IP range with port 5925 open are VNC servers it looks like.

yes, its why im at my wits end actually

[spoiler]

Code: Select all

We have received another suspicious use report. Please take care of this.

To: abuse@internap.com
Cc: postmaster@scrc.umanitoba.ca
Subject: suspicious activity from IP address 70.42.74.92

Our systems logged the following suspicious activity from IP address
70.42.74.92 on your network. Log times are all in CST (UTC -0600).
Log entries have been truncated. Complete logs available on request.
Please investigate, as someone on your network seems to be trying to
probe one of our systems (at TCP port 5900-5909 - VNC). It is likely
that this activity is coming from a system that has been compromised.
See http://isc.sans.org/port.html?port=5900 for information on this port
and its known vulnerabilities.

Log entries from dave2.scrc.umanitoba.ca [140.193.42.123]:
Dec 6 05:54:59 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::54806
Dec 6 05:54:59 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::54806 (Authentication failure)
Dec 6 05:55:31 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::33688
Dec 6 05:55:32 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::33688 (Authentication failure)
Dec 6 05:56:04 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::40799
Dec 6 05:56:04 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::40799 (Authentication failure)
Dec 6 05:56:34 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::47912
Dec 6 05:56:35 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::47912 (Authentication failure)
Dec 6 05:57:07 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::55024
Dec 6 05:57:08 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::55024 (Authentication failure)
Dec 6 05:57:40 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::33902
Dec 6 05:57:41 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::33902 (Authentication failure)
Dec 6 05:58:11 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::41015
Dec 6 05:58:11 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::41015 (Authentication failure)
Dec 6 05:58:43 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 05:59:12 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::55239
Dec 6 05:59:13 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::55239 (Authentication failure)
Dec 6 05:59:43 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:00:12 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:00:45 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::48342
Dec 6 06:00:45 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::48342 (Authentication failure)
Dec 6 06:01:18 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:01:46 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:02:14 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:02:44 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:03:15 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:03:46 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::34548
Dec 6 06:03:47 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::34548 (Authentication failure)
Dec 6 06:04:16 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:04:47 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:05:19 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:05:50 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:06:19 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:06:51 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:07:20 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:07:49 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:08:16 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:08:45 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:09:16 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::56305
Dec 6 06:09:16 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::56305 (Authentication failure)
Dec 6 06:09:47 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:10:15 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:10:43 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:11:11 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:11:39 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:12:09 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:12:38 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:13:07 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:13:35 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:14:04 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:14:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:15:02 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:15:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:15:59 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:16:27 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:16:55 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:17:23 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:17:52 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:18:21 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:18:49 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:19:18 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:19:45 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:20:16 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::50303
Dec 6 06:20:16 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::50303 (Authentication failure)
Dec 6 06:20:45 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:21:15 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:21:42 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:22:11 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:22:40 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:23:08 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:23:37 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:24:06 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:24:35 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:25:03 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:25:34 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:26:03 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:26:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:27:01 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:27:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:27:59 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:28:27 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:28:58 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:29:26 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:29:57 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:30:26 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:30:55 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:31:23 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:31:55 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:32:23 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:32:53 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:33:24 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:33:53 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:34:21 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:34:51 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:35:22 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:35:51 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:36:19 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:36:49 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:37:19 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 06:37:51 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
...
Dec 6 11:38:47 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:39:15 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:39:42 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:40:13 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:40:41 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:41:12 dave2 vnc: Port: 5908, Connections: accepted: 70.42.74.92::35284
Dec 6 11:41:12 dave2 vnc: Port: 5908, Connections: closed: 70.42.74.92::35284 (Authentication failure)
Dec 6 11:41:43 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:42:11 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:42:38 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:43:06 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:43:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:44:06 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:44:37 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:45:09 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:45:36 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:46:12 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:46:41 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:47:09 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:47:36 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:48:03 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:48:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:48:59 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:49:30 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:50:01 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:50:28 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:50:55 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:51:24 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:51:53 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:52:21 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:52:50 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:53:18 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:53:47 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:54:18 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:54:45 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:55:14 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:55:45 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:56:13 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:56:42 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:57:11 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:57:38 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:58:09 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:58:37 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:59:06 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 11:59:36 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 12:00:03 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 12:00:32 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 12:01:00 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 12:01:28 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92
Dec 6 12:01:57 dave2 vnc: Port: 5908, Connections: blacklisted: 70.42.74.92

--
Gilles R. Detillieux E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/
Dept. of Physiology and Pathophysiology, Faculty of Health Sciences,
Univ. of Manitoba Winnipeg, MB R3E 0J9 (Canada)

[/spoiler]

Wipe the entire VDS and re-install the OS. Whatever is on there would be gone. Be careful with what you put on there in the future and whom you give access to.

i did this before about-- wait, oh geez, im really sorry guys and i feel really embarrassed but i did JUST look at the dates and realized the most recent incident report i received was a few days before my full wipe and OS re-install, so its very likely that my machine doesnt have anything on it currently, again im really sorry, but thank you all for your time