I use ISPConfig Version: 3.0.2.2 on ubuntu 8.04 2.6.24-28-server on vmware VPS hosting. My problem is in month ago i see in my netstat -tupan Code: tcp 0 1 xxx.xxx.xxx.xxx:56021 72.47.252.146:7000 SYN_SENT 6096/crond or with ESTABLISHED status. When i block this IP 72.47.252.146, immediately i receive new connection from other IP. In my case i block /16 with Code: iptables -I INPUT -s 64.13.0.0/255.255.0.0 -j DROP How can i block this type of connection? Please help me.
Good morning, This is my firewall configuration. I try to block several times different ip's. But after every block, after 20-30 sec i receive new connection. After that i try to block only port and again after 20-50 sec i receive on another port new connection from different ip. I don't have working application on this port but i still receive "SYN_SENT or ESTABLISHED 6096/crond". How can I investigate this ? I have configured fail2ban but there is nothing in log? In this moment status of connection is Code: tcp 0 1 hosting.xxxxx.or:38785 xowii.com:5823 SYN_SENT 6096/crond iptables.rules Code: -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 953 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 8989 -j ACCEPT ### BLOCK SUSPICIOUS IP LIST ### -A INPUT -s 212.39.83.0/255.255.255.0 -j DROP -A INPUT -s 205.186.0.0/255.255.0.0 -j DROP -A OUTPUT -d 205.186.0.0/255.255.0.0 -j DROP -A INPUT -s 64.13.252.0/255.255.255.0 -j DROP -A OUTPUT -d 64.13.252.0/255.255.255.0 -j DROP ### END OF SUSPICIOUS IP LIST ### -A INPUT -j DROP This is netstat -tap Code: netcat netkit-ftp net-snmp-config netstat root@hosting:~# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdo:10024 *:* LISTEN 5168/amavisd (maste tcp 0 0 localhost.localdo:10025 *:* LISTEN 5808/master tcp 0 0 localhost.localdo:mysql *:* LISTEN 26407/mysqld tcp 0 0 localhost.localdo:11211 *:* LISTEN 12421/memcached tcp 0 0 localhost.localdo:spamd *:* LISTEN 5315/spamd.pid tcp 0 0 *:ftp *:* LISTEN 25251/pure-ftpd (SE tcp 0 0 192.168.1.1:domain *:* LISTEN 5111/named tcp 0 0 hosting.xxxxxx.o:domain *:* LISTEN 5111/named tcp 0 0 localhost.locald:domain *:* LISTEN 5111/named tcp 0 0 *:smtp *:* LISTEN 5808/master tcp 0 0 localhost.localdoma:953 *:* LISTEN 5111/named tcp 0 0 localhost.localdo:mysql localhost.localdo:55938 TIME_WAIT - tcp 0 0 localhost.localdo:55936 localhost.localdo:mysql TIME_WAIT - tcp 0 1 hosting.xxxxxx.or:38785 xowii.com:5823 SYN_SENT 6096/crond tcp 0 0 localhost.localdo:55930 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55933 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:mysql localhost.localdo:46055 ESTABLISHED 26407/mysqld tcp 0 0 hosting.xxxxx.org:smtp 221.234.9.46:4737 ESTABLISHED 27484/smtpd tcp 0 0 localhost.localdo:46055 localhost.localdo:mysql ESTABLISHED 20291/amavisd (ch1- tcp 0 0 localhost.localdo:55931 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55929 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55934 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55935 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55932 localhost.localdo:mysql TIME_WAIT - tcp 0 0 localhost.localdo:55937 localhost.localdo:mysql TIME_WAIT - tcp6 0 0 [::]:imaps [::]:* LISTEN 5700/couriertcpd tcp6 0 0 [::]:pop3s [::]:* LISTEN 5734/couriertcpd tcp6 0 0 [::]:pop3 [::]:* LISTEN 5714/couriertcpd tcp6 0 0 [::]:imap2 [::]:* LISTEN 5680/couriertcpd tcp6 0 0 [::]:webcache [::]:* LISTEN 789/apache2 tcp6 0 0 [::]:www [::]:* LISTEN 789/apache2 tcp6 0 0 [::]:2929 [::]:* LISTEN 3021/sshd tcp6 0 0 [::]:tproxy [::]:* LISTEN 789/apache2 tcp6 0 0 [::]:ftp [::]:* LISTEN 25251/pure-ftpd (SE tcp6 0 0 [::]:domain [::]:* LISTEN 5111/named tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 5111/named tcp6 0 0 [::]:https [::]:* LISTEN 789/apache2
Hello again, First thank you for quick replay. I discovered this process is from my system to some kind of IRC. I search for some kind of chat or IRC plugin on my web sites and i didn't find any think. I try to kill -9 and process for now i kill it.. But i don't now for how long. I will install chkrootkit. After i run "chkrootkit" Can you give me suggestions about this ? I talk about this problem with my friends and they tell me about mod_security. How you think is it good idea to install mod_security with ispconfig3. Code: root@hosting:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected Checking `rexedcs'... not found Checking `sniffer'... lo: not promisc and no packet sniffer sockets eth0: not promisc and no packet sniffer sockets eth1: not promisc and no packet sniffer sockets Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Code: root@hosting:~# rkhunter -c -x [ Rootkit Hunter version 1.3.0 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preload file [ Not found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /bin/bash [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/cp [ OK ] /bin/date [ OK ] /bin/df [ OK ] /bin/dmesg [ OK ] /bin/echo [ OK ] /bin/ed [ OK ] /bin/egrep [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/ip [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/lsmod [ OK ] /bin/mktemp [ OK ] /bin/more [ OK ] /bin/mount [ OK ] /bin/mv [ OK ] /bin/netstat [ OK ] /bin/ps [ OK ] /bin/pwd [ OK ] /bin/readlink [ OK ] /bin/sed [ OK ] /bin/sh [ OK ] /bin/su [ OK ] /bin/touch [ OK ] /bin/uname [ OK ] /bin/which [ OK ] /usr/bin/awk [ Warning ] I think this is OK but who knows. /usr/bin/basename [ OK ] /usr/bin/chattr [ OK ] /usr/bin/curl [ Warning ] /usr/bin/cut [ OK ] /usr/bin/diff [ OK ] /usr/bin/dirname [ OK ] /usr/bin/dpkg [ Warning ] /usr/bin/dpkg-query [ Warning ] /usr/bin/du [ OK ] /usr/bin/env [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/GET [ Warning ] I think this is standard perl module. (I think ) /usr/bin/groups [ OK ] /usr/bin/head [ OK ] /usr/bin/id [ OK ] /usr/bin/killall [ OK ] /usr/bin/last [ OK ] /usr/bin/lastlog [ OK ] /usr/bin/ldd [ Warning ] I think this is ok too. /usr/bin/less [ OK ] /usr/bin/locate [ OK ] /usr/bin/logger [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/lsof [ OK ] /usr/bin/mail [ OK ] /usr/bin/md5sum [ OK ] /usr/bin/mlocate [ OK ] /usr/bin/newgrp [ OK ] /usr/bin/passwd [ OK ] /usr/bin/perl [ OK ] /usr/bin/pstree [ OK ] /usr/bin/rkhunter [ OK ] /usr/bin/runcon [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/size [ OK ] /usr/bin/sort [ OK ] /usr/bin/stat [ OK ] /usr/bin/strace [ OK ] /usr/bin/strings [ OK ] /usr/bin/sudo [ Warning ] Why is with warning marker ? /usr/bin/tail [ OK ] /usr/bin/test [ OK ] /usr/bin/top [ OK ] /usr/bin/touch [ OK ] /usr/bin/tr [ OK ] /usr/bin/uniq [ OK ] /usr/bin/users [ OK ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/wc [ OK ] /usr/bin/wget [ Warning ] /usr/bin/whatis [ OK ] /usr/bin/whereis [ OK ] /usr/bin/which [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/bin/gawk [ Warning ] I think this is OK may be. /usr/bin/lwp-request [ Warning ] and this /usr/bin/w.procps [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/ifdown [ OK ] /sbin/ifup [ OK ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/rmmod [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/cron [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/nologin [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/unhide [ Warning ] I cant find any info about this packet, but people says is OK /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] /usr/sbin/vipw [ OK ] /usr/sbin/unhide-linux26 [ Warning ] this too I cant find information about "/usr/bin/gawk" did you have any idea ? Code: Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ Warning ] I check about this: Code: root@hosting:/dev# cd . ./ ../ .initramfs/ .initramfs-tools .static/ .udev/ root@hosting:/dev# cd .
