Compromised site issue?
Hello
My server is being accused of allowing hacks to brutal force on other servers.
php 820334 cortona 3u IPv4 43849405 0t0 TCP xxx.xxx.xxx.xxx:53047->192.151.xxx.xxx:80 (SYN_SENT)
php 820352 cortona 3u IPv4 43849621 0t0 TCP xxx.xxx.xxx.xxx:53059->192.151.xxx.xxx:80 (SYN_SENT)
But as if the doors are locked?
Any suggestion ?
Allow incoming TCP ports
20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,26,3306
Allow outgoing TCP ports
20,21,22,25,37,43,53,80,110,113,443,587,873,2086,2087,2089,2703,993,465,3306
Allow incoming UDP ports
20,21,53,3306
Allow outgoing UDP ports
20,21,53,113,123,873,6277,3306
Thank you
-
Because the DST port is 80 it's allowed out. I don't recommend blocking that either, as it will cause problems. What you need to do is find a system administrator to examine running processes. You may be able to use things like netstat, tcpdump, or lsof, but this assumes the malicious activity is ongoing. Most likely clamav or maldet will also turn up your infected account(s) but it is no guarantee. But if the activity has ceased or is not constant this might be the best start. 0 -
Thank you very much for your reply In the meantime I work with shared servers. There are about 5,000 hosted websites and this means that many will still be hacked to this end . Your suggestion is great if I had 1 site on the server and not for shared servers since hacks on sites will happen every day since security holes are discovered every day. Because the DST port is 80 it's allowed out. I don't recommend blocking that either, as it will cause problems. What you need to do is find a system administrator to examine running processes. You may be able to use things like netstat, tcpdump, or lsof, but this assumes the malicious activity is ongoing. Most likely clamav or maldet will also turn up your infected account(s) but it is no guarantee. But if the activity has ceased or is not constant this might be the best start.
0 -
Hello, You may want to consider using a third-party application if manually handling this task is outside the scope of what you can do on your own. CloudLinux offers a new product you may find useful (with a free 30-day trial): Imunify360 - Keeps Your Web Servers Safe Thank you. 0 -
I work in shared hosting too. Just because you see millions of inbound port 80 connections doesn't mean you can't find this from running processes. Connections OUT to port 80 are much more rare even with tons of users. If you cannot find this, find or hire someone who can. I don't say this to be rude. I really like companies like Sucuri or Site Lock if you cannot actively manage hacks yourself. 0
Please sign in to leave a comment.
Comments
4 comments