Server trying to upload binary files?

gas75

Registered
Aug 20, 2019
3
1
3
Greece
cPanel Access Level
Root Administrator
Hello all. Today i saw on the nginx log (engintron v1.11.0 Nginx version: 1.16.1) the following activity (selection from repeated entries):

Code:
2019/08/20 09:21:16 [error] 28301#28301: *1406858 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/static/cpt2.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/static/cpt2.bin", host: "down.qq.com"
2019/08/20 10:21:04 [error] 28307#28307: *1421185 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin", host: "down.qq.com"
2019/08/20 10:21:09 [error] 28308#28308: *1421220 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin HTTP/1.1", upstream: "http://203.20x.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin", host: "down.qq.com"
2019/08/20 17:23:37 [error] 28307#28307: *1520077 client intended to send too large body: 4294967295 bytes, client: ::ffff:176.58.xxx.xxx, server: localhost, request: "GET /msdn.cpp HTTP/1.1", host: "144.76.xxx.xxx0"
As far as I understand the attempts to send the file were unsuccessful. Is there any way to track down the process that triggered this action and eliminate. Is it possible that the server is infected? As a precaution i enabled the country block from the firewall (cPHulk)

Server details
/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
/usr/local/cpanel/version:11.82.0.9
/var/cpanel/envtype:standard
CPANEL=release

Any help would be appreciated.
Thank you

**UPDATE: Performed a scan with ClamAV and found several infections in an account's emails. Deleted them and I'll keep watching the log files.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
These connections were indeed refused and while this isn't quite enough information to go off of to determine if the server is compromised I do believe it is good that you ran ClamAV. You might continue to watch and should you suspect that it is still occurring feel free to open a ticket and we can look further into the issue.


Thanks!
 

gas75

Registered
Aug 20, 2019
3
1
3
Greece
cPanel Access Level
Root Administrator
These connections were indeed refused and while this isn't quite enough information to go off of to determine if the server is compromised I do believe it is good that you ran ClamAV. You might continue to watch and should you suspect that it is still occurring feel free to open a ticket and we can look further into the issue.


Thanks!
Thank you Lauren for your reply. So far no error messages so i think this is resolved. But I doubt if this was from a bunch of compromised email attachments. Anyway, deleted them and hope this won't resurface again.

Thank you again.
 
  • Like
Reactions: cPanelLauren