hi, i just ran nmap from my home computer on my server server1.example.com Code: Host is up (0.037s latency). Not shown: 978 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 1022/tcp filtered exp2 1023/tcp filtered netvenuechat 1026/tcp filtered LSA-or-nterm 3306/tcp open mysql 8080/tcp open http-proxy 8081/tcp open blackice-icecap 9898/tcp filtered monkeycom just the last one caught my eye.https://serverfault.com/questions/189144/what-is-monkeycom-on-port-9898 should i worry about this. also i am neither using the firewall service of my VPS provider Vultr or using firewall provided by ispconfig when i reconfigure my service. just the UFW i guess. Appreciate your advise
ISPConfig is not running any service on this port. So either you installed a software which uses that port, or your system might have been hacked. Run the test script and post the result: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ so we get an overview of your system. You might also want to test the system with rkhunter and chkrootkit.
here is the htf_report.txt Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] uptime: 00:22:44 up 7 days, 14:15, 1 user, load average: 0.00, 0.08, 0.12 [INFO] memory: total used free shared buff/cache available Mem: 996Mi 312Mi 145Mi 9.0Mi 539Mi 505Mi Swap: 2.0Gi 1.6Gi 436Mi [INFO] ISPConfig is installed. [WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing. ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.31-1~deb10u4 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.31 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [WARN] I could not determine which web server is running. [WARN] I could not determine which mail server is running. [WARN] I could not determine which pop3 server is running. [WARN] I could not determine which imap server is running. [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:993 (-) [anywhere]:995 (-) [localhost]:10023 (-) [localhost]:10024 (-) [localhost]:10025 (-) [localhost]:10026 (-) [localhost]:10027 (-) [anywhere]:587 (-) [localhost]:11211 (-) [anywhere]:110 (-) [anywhere]:143 (-) [anywhere]:465 (-) ***.***.***.***:53 (-) [localhost]:53 (-) [anywhere]:21 (-) [anywhere]:22 (-) [localhost]:953 (-) [anywhere]:25 (-) [anywhere]:538 (-) *:*:*:*::*:993 (-) *:*:*:*::*:995 (-) *:*:*:*::*:10023 (-) *:*:*:*::*:10024 (-) *:*:*:*::*:10026 (-) *:*:*:*::*:3306 (-) *:*:*:*::*:587 (-) [localhost]10 (-) [localhost]43 (-) *:*:*:*::*:8080 (-) *:*:*:*::*:80 (-) *:*:*:*::*:8081 (-) *:*:*:*::*:465 (-) *:*:*:*::*:53 (-) *:*:*:*::*:21 (-) *:*:*:*::*:22 (-) *:*:*:*::*:953 (-) *:*:*:*::*:25 (-) *:*:*:*::*:443 (-) ##### IPTABLES ##### ##### LET'S ENCRYPT ##### Certbot is installed in /usr/bin/certbot
Ok, so netstat does not see a program on port 9898 and the output looks pretty normal. Except of "[anywhere]:538 (551/gdomap)", maybe you know what you installed there? This netstat result can either mean the program on port9898 is not there (which would be good), or it's not there anymore or it's hidden to netstat by a rootkit. You should try nmap again to see if it still finds that port. Then you should check your network setup, maybe there is a router in front of your server that has port 9898 open and redirected to another device, so that the program that listens on port 9898 is not on your server.
thanks till, i do anything different over the many years of ISPConfig. As mentioned recently i ran nodejs server on apache proxy mode. at the same time, i wanted to keep it running, so used `pm2` for that purpose to keep nodejs, running. i am not running it anymore, as required by the new client. Could this be a reason. i ran nmap again and found the monkeycom running still. also i ran `iftop` on the server to see if there is any suspicious activity with my limited knowledge. i found two sites being popping up frequently. love.explorethebest.com petalbot*************.xxx they are using very little bytes, so guess i need not worry on the same.