Server trying to upload binary files?

G

gas75

Member
Aug 20, 2019
6
1
3
Greece
cPanel Access Level
Root Administrator
Hello all. Today i saw on the nginx log (engintron v1.11.0 Nginx version: 1.16.1) the following activity (selection from repeated entries):

Code: 
2019/08/20 09:21:16 [error] 28301#28301: *1406858 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/static/cpt2.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/static/cpt2.bin", host: "down.qq.com"
2019/08/20 10:21:04 [error] 28307#28307: *1421185 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin HTTP/1.1", upstream: "http://203.205.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic_ver/20190820/2.6.2008.20400.bin", host: "down.qq.com"
2019/08/20 10:21:09 [error] 28308#28308: *1421220 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:114.226.xxx.xxx, server: localhost, request: "GET /iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin HTTP/1.1", upstream: "http://203.20x.xxx.xxx:8080/iedsafe/Client/tenprotect_rsdt/dynamic/20190820.bin", host: "down.qq.com"
2019/08/20 17:23:37 [error] 28307#28307: *1520077 client intended to send too large body: 4294967295 bytes, client: ::ffff:176.58.xxx.xxx, server: localhost, request: "GET /msdn.cpp HTTP/1.1", host: "144.76.xxx.xxx0"
As far as I understand the attempts to send the file were unsuccessful. Is there any way to track down the process that triggered this action and eliminate. Is it possible that the server is infected? As a precaution i enabled the country block from the firewall (cPHulk)

Server details
/etc/redhat-release:CentOS Linux release 7.6.1810 (Core)
/usr/local/cpanel/version:11.82.0.9
/var/cpanel/envtype:standard
CPANEL=release

Any help would be appreciated.
Thank you

**UPDATE: Performed a scan with ClamAV and found several infections in an account's emails. Deleted them and I'll keep watching the log files.
 
Last edited:
cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
These connections were indeed refused and while this isn't quite enough information to go off of to determine if the server is compromised I do believe it is good that you ran ClamAV. You might continue to watch and should you suspect that it is still occurring feel free to open a ticket and we can look further into the issue.


Thanks!
 
G

gas75

Member
Aug 20, 2019
6
1
3
Greece
cPanel Access Level
Root Administrator
cPanelLauren said:
These connections were indeed refused and while this isn't quite enough information to go off of to determine if the server is compromised I do believe it is good that you ran ClamAV. You might continue to watch and should you suspect that it is still occurring feel free to open a ticket and we can look further into the issue.


Thanks!
Click to expand...
Thank you Lauren for your reply. So far no error messages so i think this is resolved. But I doubt if this was from a bunch of compromised email attachments. Anyway, deleted them and hope this won't resurface again.

Thank you again.
 
  • Like
Reactions: cPanelLauren
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
T cPanel process trying to contact digital ocean server every hour? Security 6
Z Hidden IPs trying to connect to my server? Security 8
T Looks like someone trying to upload files to the server Security 3
H Server trying to ssh into itself Security 7
goodgbb HELP!!! The hacker trying to hack my server Security 7
Similar threads
cPanel process trying to contact digital ocean server every hour?
Hidden IPs trying to connect to my server?
Looks like someone trying to upload files to the server
Server trying to ssh into itself
HELP!!! The hacker trying to hack my server
Top Bottom