Hello all. Today i saw on the nginx log (engintron v1.11.0 Nginx version: 1.16.1) the following activity (selection from repeated entries):
As far as I understand the attempts to send the file were unsuccessful. Is there any way to track down the process that triggered this action and eliminate. Is it possible that the server is infected? As a precaution i enabled the country block from the firewall (cPHulk)
Server details
/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
/usr/local/cpanel/version:11.82.0.9
/var/cpanel/envtype:standard
CPANEL=release
Any help would be appreciated.
Thank you
**UPDATE: Performed a scan with ClamAV and found several infections in an account's emails. Deleted them and I'll keep watching the log files.
Code:
2019/08/20 09:21:16 [error] 28301#28301: *1406858 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/static/cpt2.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/static/cpt2.bin", host: "down.qq.com"
2019/08/20 10:21:04 [error] 28307#28307: *1421185 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin", host: "down.qq.com"
2019/08/20 10:21:09 [error] 28308#28308: *1421220 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin HTTP/1.1", upstream: "http://203.20x.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin", host: "down.qq.com"
2019/08/20 17:23:37 [error] 28307#28307: *1520077 client intended to send too large body: 4294967295 bytes, client: ::ffff:176.58.xxx.xxx, server: localhost, request: "GET /msdn.cpp HTTP/1.1", host: "144.76.xxx.xxx0"
Server details
/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
/usr/local/cpanel/version:11.82.0.9
/var/cpanel/envtype:standard
CPANEL=release
Any help would be appreciated.
Thank you
**UPDATE: Performed a scan with ClamAV and found several infections in an account's emails. Deleted them and I'll keep watching the log files.
Last edited: