• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Resolved Server blacklisted, cause: connecting to botnet controller.

Bjorn

Bjorn

Basic Pleskian
Hi,

Operating system: CentOS Linux 7.1.1503 (Core)
Current used Plesk- Product: Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 7
Depending installed mail - server software: Postfix

CBL blacklisted our server because it noticed a connection (twice) to a botnet Command & Control.

"This was detected by a TCP connection from "our.server.ip" on port "36090" going to IP address "192.42.116.41" (the sinkhole) on port "80"."

Botnet C&C domain: c84c8098.com

My question
Does Plesk have a server-wide DNS/proxy log for outgoing connections?
I have the needed data to check, but what is the best method to tackle this problem / find the malicious script.

Thanks, Bjorn
 
I have run maldet and Revisium, they both found 1 infected domain.
All is ok now.

I still would like to know how to monitor / log check outgoing connections, so i can be sure.
 
Bjorn said:
I still would like to know how to monitor / log check outgoing connections, so i can be sure.
Click to expand...

You can use auditd to monitor outgoing connections, here's an example that describes how you could do it:
Finding short-lived TCP connections owner process

Or you could use a simple hack like this and run it in a screen session:
while true ; do lsof -i @192.42.116.41 -n >>192.42.116.41.txt ; sleep 0.2 ; done

This will check 5 times per second for connections to the IP 192.42.116.41 and list the process (and uid) that is doing it.
 
You must log in or register to reply here.

Similar threads

Bjorn
Issue Microsoft mail servers keep blacklisting server IP
Replies
5
Views
3K
Bitpalast
Bitpalast
WebHostingAce
Input Magento 2 | Plesk | Varnish Setup in a Docker
Replies
1
Views
5K
WebHostingAce
WebHostingAce
danami
Input Warden Antispam & Virus Protection Extension for Plesk
6 7 8
Replies
149
Views
31K
danami
danami
danami
Resolved Juggernaut Security and Firewall Plesk Addon
4 5 6
Replies
114
Views
32K
danami
danami
L
Can't send through MailEnable
Replies
5
Views
14K
AndrewD
A
Back
Top