Facebook
Twitter
M
massofclay
Guest
A little back story. I have been placed in charge of a backup network solutions VPS that was recently responsible for sending out UDP attacks originating from an HTTP, the server was shut down. When it was brought back up, I cleared out every domain and site. A couple hours later the server started sending out Cron Daemon email with messages such as this.
ERROR: Dr.Web (R) Updater: remote host update.fr1.drweb.com closed connection variant () !
Dr.Web (R) update details:
Update server: http://update.fr1.drweb.com/unix/500
Update has begun at Tue Mar 13 17:00:05 2012
Update has finished at Tue Mar 13 17:01:20 2012
Following files has been updated:
/var/drweb/bases/drwtoday.vdb
/var/drweb/updates/timestamp
This happens every 30 minutes or so.
On top of that I got this message over the weekend.
nsProtect Safe service for http://****.com
Term: 2 year(s)
Expiration Date: 2014-06-05
nsProtectâ„¢ Safe reported the following at Mon Mar 12 01:11:53 EDT 2012:
From monitoring location at Herndon, VA USA,
site is DOWN
I replaced the domain with "*". Odd thing is, that domain doesn't even belong to this company anymore.
I am not a server admin so most of this is pretty foreign, actually all of this is pretty foreign. I have done a couple of days worth of research so I am aware that cron is an antivirus, but other than that I don't get why this is happening and if it means the earlier intrusion did more than get on an http.
Any suggestions would be great,
Clay
ERROR: Dr.Web (R) Updater: remote host update.fr1.drweb.com closed connection variant () !
Dr.Web (R) update details:
Update server: http://update.fr1.drweb.com/unix/500
Update has begun at Tue Mar 13 17:00:05 2012
Update has finished at Tue Mar 13 17:01:20 2012
Following files has been updated:
/var/drweb/bases/drwtoday.vdb
/var/drweb/updates/timestamp
This happens every 30 minutes or so.
On top of that I got this message over the weekend.
nsProtect Safe service for http://****.com
Term: 2 year(s)
Expiration Date: 2014-06-05
nsProtectâ„¢ Safe reported the following at Mon Mar 12 01:11:53 EDT 2012:
From monitoring location at Herndon, VA USA,
site is DOWN
I replaced the domain with "*". Odd thing is, that domain doesn't even belong to this company anymore.
I am not a server admin so most of this is pretty foreign, actually all of this is pretty foreign. I have done a couple of days worth of research so I am aware that cron is an antivirus, but other than that I don't get why this is happening and if it means the earlier intrusion did more than get on an http.
Any suggestions would be great,
Clay
