N
Nicochet
Guest
Hi everybody,
I have the following problem. Last days my recently new installed plesk, started to be extremely slow in serving pages, mails, etc. After login, and some investigation, i found trough "netstat" several connections to away servers on ports 6667 and 6669. I started to define a rule in the firewall, to stop communication to that ports.
The thing is that i have very few clients, and the firewall is setup from the beginnig. I am behind a router (the public IP), and the only ports open are 80, 21, 8443, and 53. All other ports are closed. So it seems the connections are made from inside. The OS is a Centos 4.4, and is a stand alone server, i mean, there is no local users, nor other aplications running on it.
After defining the new rule in plesk firewall, connections have dissapeared, except a "Syn Sent" to a foreign server throug port 6667. Obviously, connection never happen, because the rule is set to forbid outgoing connections to that ports (6667 and 6669), but i don´t know how to eliminate that trojan or whatever it is . The process which try to connect in that way, is ran by apache user, and the command is "httpd -DSSL". Even when i reboot, that process is always trying to connect to 194.68.45.50 and 149.9.1.16 port 6667. I tried to kill the process which tried the connection, but it doesn't work.
Here are the "suspicious" lines shown by netstat:
tcp 0 1 192.168.0.1:33028 194.68.45.50:6667 SYN_SENT 5186/httpd -DSSL on (81,02/5/0)
tcp 0 1 192.168.0.1:33068 149.9.1.16:6667 SYN_SENT 5186/httpd -DSSL on (14,59/5/0)
It seems that remote ip changes from time to time, but the procees is always the same (5186).
Any ideas? Please, any help will be very useful.
Thanks in advance.
I have the following problem. Last days my recently new installed plesk, started to be extremely slow in serving pages, mails, etc. After login, and some investigation, i found trough "netstat" several connections to away servers on ports 6667 and 6669. I started to define a rule in the firewall, to stop communication to that ports.
The thing is that i have very few clients, and the firewall is setup from the beginnig. I am behind a router (the public IP), and the only ports open are 80, 21, 8443, and 53. All other ports are closed. So it seems the connections are made from inside. The OS is a Centos 4.4, and is a stand alone server, i mean, there is no local users, nor other aplications running on it.
After defining the new rule in plesk firewall, connections have dissapeared, except a "Syn Sent" to a foreign server throug port 6667. Obviously, connection never happen, because the rule is set to forbid outgoing connections to that ports (6667 and 6669), but i don´t know how to eliminate that trojan or whatever it is . The process which try to connect in that way, is ran by apache user, and the command is "httpd -DSSL". Even when i reboot, that process is always trying to connect to 194.68.45.50 and 149.9.1.16 port 6667. I tried to kill the process which tried the connection, but it doesn't work.
Here are the "suspicious" lines shown by netstat:
tcp 0 1 192.168.0.1:33028 194.68.45.50:6667 SYN_SENT 5186/httpd -DSSL on (81,02/5/0)
tcp 0 1 192.168.0.1:33068 149.9.1.16:6667 SYN_SENT 5186/httpd -DSSL on (14,59/5/0)
It seems that remote ip changes from time to time, but the procees is always the same (5186).
Any ideas? Please, any help will be very useful.
Thanks in advance.