ConfigServer Community Forum

Hello. A few days ago the main IP of our server was listed by Spamhause. The reason was:

This was detected by a TCP connection from "31.200.243.xxx" on
port "48048" going to IP address "192.42.119.41" (the sinkhole
(sinkhole.html)) on port "80".
The botnet command and control domain for this connection
was "04d92810.com".
This detection corresponds to a connection at Fri Apr 13 05:15:21
2018 UTC (this timestamp is believed accurate to within one
second).
Detection Information Summary
Destination IP 192.42.119.41
Destination port 80
Source IP 31.200.243.xxx
Source port 48048
C&C name/domain 04d92810.com
Protocol TCP
Time Fri Apr 13 05:15:21 2018 UTC

The IP listed 2 times, and each time we delist manually, but Spamhaus continue saying that connections remain.

What we did is deny the IP 192.42.119.41 in CSF. Now Spamhaus are not detecting the connection, but connection continues from our server. This is messages log obtained from CSF:

Apr 14 16:29:05 virt1947 kernel: [878598.655718] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2289 DF PROTO=TCP SPT=46930 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 14 16:29:05 virt1947 kernel: [878598.656034] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxxDST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59481 DF PROTO=TCP SPT=46932 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 14 16:29:06 virt1947 kernel: [878599.656123] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59482 DF PROTO=TCP SPT=46932 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 14 16:29:06 virt1947 kernel: [878599.656269] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12270 DF PROTO=TCP SPT=46934 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 14 16:29:07 virt1947 kernel: [878600.656307] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12271 DF PROTO=TCP SPT=46934 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 14 16:29:08 virt1947 kernel: [878601.655235] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57884 DF PROTO=TCP SPT=46938 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545

How can we discover from what domain are making these connections?.

Thanks.

Kind regards.

Hi,
We are also experiencing the same problem and would appreciate assistance in determining the problematic domain name.
@digitecmedia I understand that blocking the IP address 192.42.119.41 on CSF is not recommended as the bot (infection) may find an alternative server to communicate with i.e. not the sinkhole.

Thank you in advance.

Hello @hostnow, sure, it's not the solution, but in our case this has served to Spamhaus delist our IP. It's a first step to continue investigate the origin of problem. I hope someone of this forum or someone of CSF Support can help to you and us. Thanks.

Kind regards.

Hello again @hostnow. After deny this IP in CSF, we could search in the log/messages log (you can access from CSF in main menu clicking in "Search System Logs") and see this:

Apr 15 05:20:23 virt1947 kernel: [924838.992153] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18043 DF PROTO=TCP SPT=42054 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=545 GID=545
Apr 15 05:20:23 virt1947 kernel: [924839.279813] Firewall: *TCP_OUT Blocked* IN= OUT=venet0 SRC=31.200.243.xxx DST=192.42.119.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55854 DF PROTO=TCP SPT=42062 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=635 GID=635

We know right now that connections are from users UID 545 and UID 635. Both domains behind these users has Wordpress sites. So now we must investigate these 2 sites. You can try to do that to see if you can detect the domain which is making the connections, Thanks,

Kind regards.

Hello again @hostnow. We installed Wordfence in both sites and it detect a lot of injected files (Pyxsoft did not do it). We cleaned the files and connections disapeared from CSF!!.

Kind regards.