Facebook
Twitter
Noturns
Regular Pleskian
According to my server logs i have some unattended outbound or inbound ftp traffic on my server which should not be there.
I noticed multiple PIDs in the logs. It looks like the script is blocked because the FTP session is closed after a few seconds. I'm pretty sure that we have a white-list all two trusted IP adresses. We also checked the Fail2Ban and that ip address xx.xx.xx.xx is not listed there.
Update:
I have removed a subscription of a previous customer of ours. The server-logs now state the following command:
As a temporarily precaution i have added a rule in my firewall to block that ip-address.
I would like to know what script is causing this and how to approach this situation?
How can i trace proftpd or xinetd or find a string in a batchscript?
Here is my server specs
Version Plesk v12.5.30_build1205150826.19
OS CentOS 6.7 (Final)
Code:
May 20 17:20:34 vps2 proftpd[24091]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:21:31 vps2 xinetd[1480]: START: ftp pid=27685 from=::ffff:xx.xx.xx.xx
May 20 17:21:33 vps2 proftpd[27685]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:22:31 vps2 xinetd[1480]: START: ftp pid=28209 from=::ffff:xx.xx.xx.xx
May 20 17:22:33 vps2 proftpd[28209]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:23:31 vps2 xinetd[1480]: START: ftp pid=28719 from=::ffff:xx.xx.xx.xx
May 20 17:23:33 vps2 proftpd[28719]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:24:31 vps2 xinetd[1480]: START: ftp pid=29236 from=::ffff:xx.xx.xx.xx
May 20 17:24:34 vps2 proftpd[29236]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:25:31 vps2 xinetd[1480]: START: ftp pid=29737 from=::ffff:xx.xx.xx.xx
May 20 17:25:33 vps2 proftpd[29737]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:26:32 vps2 xinetd[1480]: START: ftp pid=30253 from=::ffff:xx.xx.xx.xx
May 20 17:26:34 vps2 proftpd[30253]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:27:31 vps2 xinetd[1480]: START: ftp pid=30763 from=::ffff:xx.xx.xx.xx
May 20 17:27:31 vps2 proftpd[30763]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session opened.
May 20 17:27:33 vps2 proftpd[30763]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.
May 20 17:28:31 vps2 xinetd[1480]: START: ftp pid=31271 from=::ffff:xx.xx.xx.xx
May 20 17:28:33 vps2 proftpd[31271]: 127.0.0.1 (xx.xx.xx.xx[xx.xx.xx.xx]) - FTP session closed.I noticed multiple PIDs in the logs. It looks like the script is blocked because the FTP session is closed after a few seconds. I'm pretty sure that we have a white-list all two trusted IP adresses. We also checked the Fail2Ban and that ip address xx.xx.xx.xx is not listed there.
Update:
I have removed a subscription of a previous customer of ours. The server-logs now state the following command:
Code:
May 20 17:51:32 vps2 sshd[7725]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 20 17:51:32 vps2 sshd[7725]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_keyAs a temporarily precaution i have added a rule in my firewall to block that ip-address.
I would like to know what script is causing this and how to approach this situation?
How can i trace proftpd or xinetd or find a string in a batchscript?
Here is my server specs
Version Plesk v12.5.30_build1205150826.19
OS CentOS 6.7 (Final)
