Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED TCP Out Blocked Message

Discussion in 'Security' started by keat63, Dec 13, 2017.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    904
    Likes Received:
    29
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Could anyone help shed any light on this please.
    Yesterday I transferred a company domain from one server to another.
    Shortly afterwards, I saw a number of these messages in my message logs.

    UID 509 is the new account, so it looks like the site was trying to do something, but I've no idea what.
    ClamScan doesn't find anything.

    yyy.yyy.yyy.yyy being my server IP.

    There are about 8 entries like this over a 30 minute period, then nothing else since around 18 hours ago.


    Code:
    Dec 12 15:32:24  kernel: [5263306.350922] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=yyy.yyy.yyy.yyy DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60438 DF PROTO=TCP SPT=58278 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=509 GID=515
    
    
     
    #1 keat63, Dec 13, 2017
    Last edited: Dec 13, 2017
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    577
    Likes Received:
    176
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I would be concerned at any connection that is from or to port 1

    I am seeing incoming requests to port 1 as part of port scans, but an outgoing connection would raise a red flag, and your firewall is doing what it should by blocking it.

    Port 1 is tcpmux and is sometimes used by the Breach.2001 and SocketsDeTroie trojan. See Port 1 (tcp/udp) for full details.

    Also see TCP Port Service Multiplexer - Wikipedia for Security risks, and additional information.

    Since you can see the user and group IDs of the call, I would be examining the folders and files that the user/group own, or can access, in minute detail to try and determine what is going on. You may need to run additional security checks like chrootkit and/or rkhunter. See Additional Security Software - cPanel Knowledge Base - cPanel Documentation for more advice and useful tips.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    904
    Likes Received:
    29
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I already scanned the files residing on my PC, and see nothing other than images, html files and a few js scripts.
    No .PHP files, no .pl files.
    To my untrained eye, it looks pretty harmless.

    I created the account from fresh and uploaded only the public_html files/folders.

    I forgot I had chrootkit, so I ran this, and found only Checking `bindshell'... INFECTED (PORTS: 465), which from what I can gather is normal.

    I installed RKHunter 1.4.4, which shows the following.

    Code:
    [12:10:56] System checks summary
    [12:10:56] =====================
    [12:10:56]
    [12:10:56] File properties checks...
    [12:10:56] Required commands check failed
    [12:10:56] Files checked: 149
    [12:10:56] Suspect files: 5
    [12:10:56]
    [12:10:56] Rootkit checks...
    [12:10:57] Rootkits checked : 480
    [12:10:57] Possible rootkits: 0
    [12:10:57]
    [12:10:57] Applications checks...
    [12:10:57] All checks skipped
    [12:10:57]
    [12:10:57] The system checks took: 3 minutes and 31 seconds
    
    
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    If you don't receive additional user-feedback, you may need to consult with a system administrator or network specialist and have them examine the account and your system to see if anything else stands out:

    System Administration Services | cPanel Forums

    Thank you.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,009
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    With it being a normal user ID running the process, I wouldn't worry too much about root at least yet. These things though are hard to find when they're not ongoing. I would thoroughly examine the sites logs, http access logs especially, at the time of the attempted outbound connection.

    You have the most important thing which is a precise time stamp. That is your best thing to work from. Check logs of every service that user has access to. Don't forget cpanel access logs themselves are GMT and take adjustment from your local time zone used in system/http logs.

    Of course if it happens again you have the options of netstat, tcpdump, lsof, etc to find the activity while it's ongoing.
     
    rpvw and cPanelMichael like this.
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    904
    Likes Received:
    29
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    It's been a few days and I've seen nothing since.

    I recall at some point on Tuesday afternoon, looking in Cpanel (end user side) and looking at the Pearl Modules section, namely looking at the installed modules and clicking the "show available modules" button.

    So yesterday I created a new test account, and today did the same.
    Guess what, the same thing happens.

    Each one of those destination IP's are different, could this just be the server going out to each pearl module owner ?

    Also pearl and pearl5 folders are then created in the users home directory.

    Code:
    Dec 15 08:23:26  kernel: [5496768.290071] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=yyy.yyy.yyy.yyy DST=111.111.111.111 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8441 DF PROTO=TCP SPT=48010 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=521 GID=531
    
    Dec 15 08:23:28  kernel: [5496770.272268] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=yyy.yyy.yyy.yyy DST=222.222.222.222 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37005 DF PROTO=TCP SPT=59728 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=521 GID=531
    
    Dec 15 08:23:30  kernel: [5496772.596169] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=yyy.yyy.yyy.yyy DST=333.333.333.333 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27732 DF PROTO=TCP SPT=49820 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=521 GID=531
    
    Dec 15 08:23:32  kernel: [5496774.317067] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=yyy.yyy.yyy.yyy DST=444.444.444.444 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10996 DF PROTO=TCP SPT=53394 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=521 GID=531
    
    Dec 15 08:25:52  lfd[2595]: SYSLOG check [xh81IeajWQMkEML5qihKLClWp]
    [\code]
     
    #6 keat63, Dec 15, 2017
    Last edited: Dec 15, 2017
    rpvw likes this.
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Could you provide the actual IP addresses instead of the examples? We should be able to verify if those IP addresses are where the Perl modules are hosted.

    Thank you.
     
  8. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    577
    Likes Received:
    176
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I did the same test as keat63 - clicking the "show available modules" button in a users cPanel
    Code:
    Dec 15 20:41:12   kernel: [713643.369401] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=209.85.80.214 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2340 DF PROTO=TCP SPT=44088 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:12   kernel: [713643.370167] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=83.170.94.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13163 DF PROTO=TCP SPT=40819 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:12   kernel: [713643.370760] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=208.109.109.239 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31363 DF PROTO=TCP SPT=50737 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:12   kernel: [713643.371523] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=72.29.88.74 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12623 DF PROTO=TCP SPT=34667 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:12   kernel: [713643.371820] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=185.45.12.22 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57498 DF PROTO=TCP SPT=38308 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:14   kernel: [713645.370140] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=216.38.56.98 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22694 DF PROTO=TCP SPT=52475 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    Dec 15 20:41:16   kernel: [713647.376913] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= xxx.xxx.xxx.xxx DST=64.50.233.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55755 DF PROTO=TCP SPT=59349 DPT=1 WINDOW=14600 RES=0x00 SYN URGP=0 UID=535 GID=505
    These results do seem strange, and How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation makes no mention of TCP-1

    All of the DPTs can be found in a newly created .cpcpan/pingtimes folder in the users home directory, together with ping-times of many other IPs and domain names.
     
    #8 rpvw, Dec 15, 2017
    Last edited: Dec 15, 2017
    quizknows likes this.
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, upon testing, that traffic looks to be legitimate. Here's a quote from a CPAN URL explaining it's purpose:

    I've opened internal case DOC-10012 with our Documentation Team to have this information reflected on the following document:

    How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    quizknows and rpvw like this.
  10. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    577
    Likes Received:
    176
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Allowing TCP 1 OUT in the firewall resulted in a significant speeding up of the display of the available modules, and it also seems to have had a similar effect on the WHM >> Install a Perl Module >> Search -or- Show Available Modules.

    Great catch keat63, and thank you cPanelMichael for your support.
     
    quizknows and cPanelMichael like this.
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    904
    Likes Received:
    29
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Phew.

    I was worried for a short while.
     
Loading...

Share This Page