Facebook
TwitterJesse Fitzgerald
New Pleskian
Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux CentOS release 6.8 (Final) Plesk Onyx Version 17.0.17
Greetings. Strange occurrence... Since I upgraded to Onyx from Plesk 12 last week, the autoupdater cannot connect to 8447. The Onyx upgrade worked perfectly BTW. I AM ABLE to open 8447 on another remote honeypot IP with no problem. I can verify this with curl and nmap. I also get the same findings from my desktop computer at home and using an online port tester such as http://www.yougetsignal.com/tools/open-ports/ . Only since the update. I stopped iptables and turned the intrusion detection stuff on our firewall off to troubleshoot as well. I have verified that this is not our firewall intervening on the egress via packet analysis. I tacked that on the end of the message for you to see.
nmap for 8447 to autoinstall.plesk.com and portquiz.net:
[root@speedbird etc]# nmap -p 8447 portquiz.net
Starting Nmap 5.51 ( http://nmap.org ) at 2017-02-04 20:55 CST
Nmap scan report for portquiz.net (178.33.250.62)
Host is up (0.027s latency).
rDNS record for 178.33.250.62: electron.positon.org
PORT STATE SERVICE
8447/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
[root@speedbird etc]# nmap -p 8447 autoinstall.plesk.com
Starting Nmap 5.51 ( http://nmap.org ) at 2017-02-04 21:19 CST
Nmap scan report for autoinstall.plesk.com (37.235.107.44)
Host is up (0.0014s latency).
rDNS record for 37.235.107.44: dallas-20.cdn77.com
PORT STATE SERVICE
8447/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
Results verified using curl with remote honeypot and then our plesk server:
[root@speedbird etc]# curl portquiz.net:8447
Port 8447 test successful!
Your IP: 72.249.135.2
[root@speedbird etc]# curl autoinstall.plesk.com:8447
curl: (7) couldn't connect to host
When I did a packet analysis at our firewall, this is what I see for the failed connection from the CURL attempt, so there is no IDP or firewall rules being triggered. Nothing to see here.
Egress packet data from firewall from failed curl connection attempt above:
Ethernet Header
Ether Type: IP(0x800), Src=[00:17:c5:69:ca:11], Dst=[00:d0:03:a5:3c:0a]
IP Packet Header
IP Type: TCP(0x6), Src=[72.249.135.2], Dst=[37.235.107.44]
TCP Packet Header
TCP Flags = [SYN,], Src=[60802], Dst=[8447], Checksum=0x3f7e
Application Header
Not Known
Value:[0]
Forwarded 0:0)
As an aside... 8447 is open locally to ingress traffic.
[root@speedbird etc]# netstat -natp | grep :8447
tcp 0 0 :::8447 :::* LISTEN 25460/autoinstaller
Thanks for any help you can impart!
Kind regards,
Jesse
Greetings. Strange occurrence... Since I upgraded to Onyx from Plesk 12 last week, the autoupdater cannot connect to 8447. The Onyx upgrade worked perfectly BTW. I AM ABLE to open 8447 on another remote honeypot IP with no problem. I can verify this with curl and nmap. I also get the same findings from my desktop computer at home and using an online port tester such as http://www.yougetsignal.com/tools/open-ports/ . Only since the update. I stopped iptables and turned the intrusion detection stuff on our firewall off to troubleshoot as well. I have verified that this is not our firewall intervening on the egress via packet analysis. I tacked that on the end of the message for you to see.
nmap for 8447 to autoinstall.plesk.com and portquiz.net:
[root@speedbird etc]# nmap -p 8447 portquiz.net
Starting Nmap 5.51 ( http://nmap.org ) at 2017-02-04 20:55 CST
Nmap scan report for portquiz.net (178.33.250.62)
Host is up (0.027s latency).
rDNS record for 178.33.250.62: electron.positon.org
PORT STATE SERVICE
8447/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
[root@speedbird etc]# nmap -p 8447 autoinstall.plesk.com
Starting Nmap 5.51 ( http://nmap.org ) at 2017-02-04 21:19 CST
Nmap scan report for autoinstall.plesk.com (37.235.107.44)
Host is up (0.0014s latency).
rDNS record for 37.235.107.44: dallas-20.cdn77.com
PORT STATE SERVICE
8447/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
Results verified using curl with remote honeypot and then our plesk server:
[root@speedbird etc]# curl portquiz.net:8447
Port 8447 test successful!
Your IP: 72.249.135.2
[root@speedbird etc]# curl autoinstall.plesk.com:8447
curl: (7) couldn't connect to host
When I did a packet analysis at our firewall, this is what I see for the failed connection from the CURL attempt, so there is no IDP or firewall rules being triggered. Nothing to see here.
Egress packet data from firewall from failed curl connection attempt above:
Ethernet Header
Ether Type: IP(0x800), Src=[00:17:c5:69:ca:11], Dst=[00:d0:03:a5:3c:0a]
IP Packet Header
IP Type: TCP(0x6), Src=[72.249.135.2], Dst=[37.235.107.44]
TCP Packet Header
TCP Flags = [SYN,], Src=[60802], Dst=[8447], Checksum=0x3f7e
Application Header
Not Known
Value:[0]
Forwarded 0:0)
As an aside... 8447 is open locally to ingress traffic.
[root@speedbird etc]# netstat -natp | grep :8447
tcp 0 0 :::8447 :::* LISTEN 25460/autoinstaller
Thanks for any help you can impart!
Kind regards,
Jesse
Last edited:
