vicidial.org

by **xenia2608** » Sat Oct 05, 2019 2:34 pm

I see alot of traffic going out from my standalone database server . Database server is only allowed to connect through internal private network to web and dialer server .

Here is out put of some traffic monitoring :

netstat -nputw
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 272 104.194.10.153:58742 144.202.3.7:58357 ESTABLISHED 25995/4
tcp 0 0 104.194.10.153:58742 144.202.3.7:58354 ESTABLISHED 25968/sshd: root@no
tcp 0 0 10.0.0.2:3306 10.0.0.1:36332 ESTABLISHED 1605/mysqld
tcp 0 0 10.0.0.2:3306 10.0.0.1:10030 ESTABLISHED 1605/mysqld
tcp 0 0 10.0.0.2:3306 10.0.0.1:10036 ESTABLISHED 1605/mysqld
tcp 0 0 10.0.0.2:3306 10.0.0.1:55236 ESTABLISHED 1605/mysqld
tcp 0 0 10.0.0.2:3306 10.0.0.1:10032 ESTABLISHED 1605/mysqld
tcp 0 0 10.0.0.2:3306 10.0.0.1:10026 ESTABLISHED 1605/mysqld

iftop output

255.255.255.255 => 0.0.0.0 0b 0b 0b
<= 0b 1.45Kb 1.45Kb
104.194.11.255 => 104.194.11.172 0b 0b 0b
<= 936b 702b 702b
172.93.107.255 => hosted-by.speed.yt 0b 0b 0b
<= 624b 702b 702b
2x9.2x2.10x.2x5 => 2x9.2x2.10x.1x2 0b 0b 0b #####(my web dialer server)
<= 2.44Kb 624b 624b
172.93.97.255 => 172.93.97.18 0b 0b 0b
<= 620b 620b 620b
45.58.114.159 => 45.58.114.154 0b 0b 0b
<= 496b 496b 496b
172.93.98.255 => 172.93.98.2 0b 0b 0b
<= 620b 465b 465b
255.255.255.255 => 104.243.45.124 0b 0b 0b
<= 0b 402b 402b
185.150.190.255 => 185.150.190.144 0b 0b 0b
<= 372b 372b 372b
vicidata => 112.85.42.189 0b 0b 0b

iptraf output

UDP (46 bytes) from 172.93.98.2:61856 to 172.93.98.255:34196 on eth0 x
x UDP (46 bytes) from 206.221.182.106:56841 to 206.221.182.255:34196 on eth0 x
x UDP (576 bytes) from 0.0.0.0:68 to 255.255.255.255:67 on eth0 x
x UDP (46 bytes) from 104.194.9.168:51367 to 104.194.9.255:34196 on eth0 x
x UDP (68 bytes) from 45.58.112.44:41018 to 255.255.255.255:1947 on eth0
x UDP (46 bytes) from 185.150.190.144:58930 to 185.150.190.255:34196 on eth0 x
x UDP (78 bytes) from 104.243.40.202:137 to 104.243.40.255:137 on eth0 x
x UDP (78 bytes) from 172.93.107.138:137 to 172.93.107.255:137 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0
UDP (46 bytes) from 172.93.98.2:61856 to 172.93.98.255:34196 on eth0 x
x UDP (46 bytes) from 206.221.182.106:56841 to 206.221.182.255:34196 on eth0 x
x UDP (229 bytes) from 104.243.37.32:138 to 104.243.37.255:138 on eth0 x
x UDP (46 bytes) from 104.194.9.168:51367 to 104.194.9.255:34196 on eth0 x
x UDP (78 bytes) from 209.222.101.142:137 to 209.222.101.255:137 on eth0 x
x UDP (78 bytes) from 209.222.101.142:137 to 209.222.101.255:137 on eth0 x
x UDP (78 bytes) from 209.222.101.142:137 to 209.222.101.255:137 on eth0
UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (46 bytes) from 172.93.97.18:56956 to 172.93.97.255:34196 on eth0 x
x UDP (161 bytes) from 104.194.11.136:17500 to 255.255.255.255:17500 on eth0 x
x UDP (161 bytes) from 104.194.11.136:17500 to 255.255.255.255:17500 on eth0 x
x UDP (161 bytes) from 104.194.11.136:17500 to 104.194.11.255:17500 on eth0 x
x UDP (49 bytes) from 206.221.184.131:36699 to 206.221.184.255:32414 on eth0

I have removed my databse ip and web dialer server ip from output .

Is my server compromised ? Do i need to start a fresh install ?

Currently i am using yast firewall to control traffic . Already followed everything mentioned here : http://www.viciwiki.com/index.php/Whitelist to block ping and some other request . SSH port is already changed . web server is not available for everyone .

by **ambiorixg12** » Sun Oct 06, 2019 7:55 pm

Logs just shows a TCP connection but at the application lawyer we dont know if is sending sensitive data, I do suggest a good iptable rule

by **xenia2608** » Mon Oct 07, 2019 8:06 am

I tried everything to check if anything suspicious is going on or not . Ended up scanning whole server by server provider . They also didn't find anything suspicious . Even its not DDoS . All these connection are originating from my server it self but they are not able to communicate to remote address, its just my server sending outgoing traffic to random host . This is database server and till now haven't found any data breach . Infact all the unknown ips are trying to communicate on random port, those are already blocked .

I was concerned, why my server is trying to make outgoing connection to different unknown host , this way its consuming traffic of 50 GB each day which even i am not using .

Going to reinstall, and will wait to see if it again happens .

Thank you

vicidial.org

Is Server Compromised ?

Is Server Compromised ?

Re: Is Server Compromised ?

Re: Is Server Compromised ?

Who is online