Lots of UDP traffic

[runtim23]

I got a warning from my hosting provider that my server has been compromised and they sent me a tcpdump snippet of outgoing UDP packets. All anti-virus and my plesk firewall has been removed. Yum repositories are empty so I can't reinstall from yum. I did reinstall the firewall module but it seems to have no effect on any traffic. I shutdown dns and apache but apache restarts itself and no matter what I do, tcpdump port 53 shows loads of udp traffic both incoming and outgoing. Netstat -ap shows no port 53 programs running. Any advice here? /tmp /tmp/var /tmp/spool/mail look clean even with ls -aofl

 

[runtim23]

Ok. I'm starting to think this isn't a virus or rootkit, but rather an open dns after experiencing the same problem on a different server. I ran a test online which confirmed this. I'm not sure how to close this. I am currently running both Plesk 9 and Plesk 11. I went to the template and added the localhost for recursion but it does not stop the traffic. Any help here?

 

[runtim23]

To anyone else that experiences a similar issue, I was able to fix this as documented across the web.

However, what I didn't know, is it might take several hours to see the change go into effect.

While I understand name servers cache
their records, I wasn't aware that recursive settings on named would also take time to go into effect.
Online tests also took 24 hours to reflect this.

Change the named.conf recursion setting. Plesk also has a button for recursion that should change the config.