Resolved Server blacklisted, cause: connecting to botnet controller.

[Bjorn]

Hi,

Operating system: CentOS Linux 7.1.1503 (Core)
Current used Plesk- Product: Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 7
Depending installed mail - server software: Postfix

CBL blacklisted our server because it noticed a connection (twice) to a botnet Command & Control.

"This was detected by a TCP connection from "our.server.ip" on port "36090" going to IP address "192.42.116.41" (the sinkhole) on port "80"."

Botnet C&C domain: c84c8098.com

My question
Does Plesk have a server-wide DNS/proxy log for outgoing connections?
I have the needed data to check, but what is the best method to tackle this problem / find the malicious script.

Thanks, Bjorn

 

[MarkM]

I'd run Maldet and see what it finds...

 

[Bjorn]

I have run maldet and Revisium, they both found 1 infected domain.
All is ok now.

I still would like to know how to monitor / log check outgoing connections, so i can be sure.

 

[Monty]

I still would like to know how to monitor / log check outgoing connections, so i can be sure.

You can use auditd to monitor outgoing connections, here's an example that describes how you could do it:
Finding short-lived TCP connections owner process

Or you could use a simple hack like this and run it in a screen session:
while true ; do lsof -i @192.42.116.41 -n >>192.42.116.41.txt ; sleep 0.2 ; done

This will check 5 times per second for connections to the IP 192.42.116.41 and list the process (and uid) that is doing it.