RackNerd has received an abuse complaint concerning your service racknerd-a7be7b

eris · June 28, 2024, 8:45am

fail2ban doesn’t do anything for outgoing connections…

EdwardC · June 28, 2024, 8:45am

OK thank you.

EdwardC · June 28, 2024, 9:34am

Maldet ZERO Hits. But it’s still happening.

maldet -a /home
Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks <[email protected]>
            (C) 2023, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(590116): {scan} signatures loaded: 17638 (14801 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(590116): {scan} building file list for /home, this might take awhile...
maldet(590116): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(590116): {scan} file list completed in 4s, found 46619 files...
maldet(590116): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(590116): {scan} scan of /home (46619 files) in progress...
maldet(590116): {scan} processing scan results for hits: 0 hits 0 cleaned
maldet(590116): {scan} scan completed on /home: files 46619, malware hits 0, cleaned hits 0, time 3108s
maldet(590116): {scan} scan report saved, to view run: maldet --report 240628-0840.590116
root@hcp:~# maldet --report 240628-0840.590116

sahsanu · June 28, 2024, 10:58am

You could try to discover what is the process or processes trying to connect to external ports, in your case, ftp (21), ssh (22) and smtp (25).

curl -fsSL https://7j.gg/discover | bash -s -- | tee -a discover.output

Above command will execute a script for 5 minutes checking the connections to external ports (21,22 and 25) and will show the process using them. The script will show the results on screen and will save them to file discover.output.

The script is this:

#!/usr/bin/env bash
for i in {1..300}; do
        out="$(lsof -Pn +c0 -iTCP:21,22,25 -sTCP:^LISTEN | grep -E ':21\s\(|:22\s\(|:25\s\(')"
        if [[ -z $out ]]; then
                sleep 1
                continue
        fi
        for j in "$out"; do
                pid="$(awk '{print $2}' <<<"$j")"
                echo "Process: $j"
                ps -ef | grep "$pid" | grep -v grep
                echo '--------------------------'
        done
        sleep 1
done

If you see connections doesn’t mean that those are malicious, just is more info to know what is going on in your server.

oranjoose · July 22, 2024, 3:13pm

Did you get this resolved?