The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Named Tracking hit

Discussion in 'Security' started by keat63, Mar 9, 2016.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've come in to work this morning to absolutely hundreds of these.

    Mar 9 09:27:28 xxxxxx kernel: [4030020.000033] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.18.96 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=1919 PROTO=UDP SPT=40446 DPT=53 LEN=68 UID=25 GID=25
    Mar 9 09:27:28 xxxxxx kernel: [4030020.000161] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.36.154 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=16401 PROTO=UDP SPT=48644 DPT=53 LEN=68 UID=25 GID=25

    From what I can gather unopened source ports on my server have been trying to connect to port 53 on servers elsewhere.
    But why ??

    Incidentally, 99% of them seem to be going to 54.x.x.x
    IP Lookup would indicate Amazonaws
     
    #1 keat63, Mar 9, 2016
    Last edited: Mar 9, 2016
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    These are continuing evey few minutes.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The difference between this and my earlier report, is this instance contains thousands of these entries
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't profess to understand any of this stuff, but I ran
    netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    It showed by 3 results, one of which had 11 connections.
    I did a quick whois on the IP and it resulted back to CN, so I put a temporary block on CN in CSF.

    It's too early to say if this was the cause, but i was seeing these every 5 minutes, Its now been about 30 minutes since, and still watching to see if another one hits.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I obviously spoke too soon as they are still coming in, however, not as frequent.
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thinking it might be some sort of DNS sppof I checked recursive DNS, but this is reporting as OK.

    Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.

    I'm stumped.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    After spending countless hours, trying many ssh commands from untold forums etc, I think I may have found this.
    It seems that we have a CSF entry 54.77.0.0/16 in a vain attempt to blockout some of these AmazonAWS things we keep seeing.
    I'm assuming that 54.77.x.x must also contain a number of DNS servers, and it's these servers that my DNS is unable to talk to because of the firewall rule.

    It makes sense I guess, so I removed the rule and will monitor for a few hours.
     
Loading...

Share This Page