Gareth Westwood
Basic Pleskian
Hi All,
First time posting here but long time user of plesk (15 years probably!!!)
CentOS 6.10
Plesk Onyx 17.5.3
Mainly hosting low traffic websites and some email (~60 subscriptions)
I was recently contacted by my VPS provider to say that IP address allocated to my server have been performing port scans and that they have been contacted and asked to investigate.
I was not totally sure where to start but have gone through a few steps to try and isolate the issue. I'm wondering if anyone here can offer any further advice.
last, lastb and lastlog all look ok. So I don't think anyone has compromised a "proper" system account. who only shows my current login
find / -perm -4000 -perm -2000 only shows one file, /usr/local/psa/handlers/hooks/check-quota . Not sure if that is supposed to have those permissions or not.
I ran top to see if anything was obviously wrong there. I couldn't see anything but did note two things. Firstly that load average seems to be between 2 and 10! which seems really high the second being that the CPU %us (from line 3 of top) is significantly higher than the top 10 ish process %CPU values. I'm not sure what I was expecting to see here but I guess I thought that whatever is increasing my load average would be showing up here.
netstat -plunt is also looking fine there are a few names I don't recognize (monit and master being the main two) but again nothing is jumping out at me as being wrong.
I ran find /var/www/vhosts -mtime -30 and found a couple of domains with "suspect" recently modified files so have disabled those two sites for now.
Last but not least I have added some firewall rules to block inbound and outbound on port 22 other than from my office IP address and one other (backup) site. I am running watch iptables -L OUTPUT -v and I am seeing some packets hit the drop rule so _something_ is trying to dial out.
What would you guys suggest as the next step in working out what is going on here. I guess there may be a way to work out which binary made the dropped packets, then work out which user ran the binary maybe?
Your thoughts would be appreciated!
First time posting here but long time user of plesk (15 years probably!!!)
CentOS 6.10
Plesk Onyx 17.5.3
Mainly hosting low traffic websites and some email (~60 subscriptions)
I was recently contacted by my VPS provider to say that IP address allocated to my server have been performing port scans and that they have been contacted and asked to investigate.
I was not totally sure where to start but have gone through a few steps to try and isolate the issue. I'm wondering if anyone here can offer any further advice.
last, lastb and lastlog all look ok. So I don't think anyone has compromised a "proper" system account. who only shows my current login
find / -perm -4000 -perm -2000 only shows one file, /usr/local/psa/handlers/hooks/check-quota . Not sure if that is supposed to have those permissions or not.
I ran top to see if anything was obviously wrong there. I couldn't see anything but did note two things. Firstly that load average seems to be between 2 and 10! which seems really high the second being that the CPU %us (from line 3 of top) is significantly higher than the top 10 ish process %CPU values. I'm not sure what I was expecting to see here but I guess I thought that whatever is increasing my load average would be showing up here.
netstat -plunt is also looking fine there are a few names I don't recognize (monit and master being the main two) but again nothing is jumping out at me as being wrong.
I ran find /var/www/vhosts -mtime -30 and found a couple of domains with "suspect" recently modified files so have disabled those two sites for now.
Last but not least I have added some firewall rules to block inbound and outbound on port 22 other than from my office IP address and one other (backup) site. I am running watch iptables -L OUTPUT -v and I am seeing some packets hit the drop rule so _something_ is trying to dial out.
What would you guys suggest as the next step in working out what is going on here. I guess there may be a way to work out which binary made the dropped packets, then work out which user ran the binary maybe?
Your thoughts would be appreciated!