Results 1 to 8 of 8
-
08-17-2009, 11:42 AM #1WHT Addict
- Join Date
- Aug 2009
- Posts
- 151
Help me for prevent malicious activities on my server
Hello ,
I'm VPN provider and we recevied warning from my datacenter for malicious activities .
This is abuse report that showing that my server
is doing malicious activities:
28753 | 89.1xx.xxx.xx | 2009-08-12 04:15:26 mwtype Conficker BOTS |
NETDIRECT AS
28753 | 89.1xx.xxx.xx | 2009-08-12 04:16:31 mwtype Conficker BOTS |
NETDIRECT AS
28753 | 89.1xx.xxx.xx | 2009-08-12 05:51:42 mwtype Conficker BOTS |
NETDIRECT AS
28753 | 89.1xx.xxx.xx | 2009-08-12 05:51:53 mwtype Conficker BOTS |
NETDIRECT AS
28753 | 89.1xx.xxx.xx | 2009-08-12 05:55:40 mwtype Conficker BOTS |
NETDIRECT AS
28753 | 89.1xx.xxx.xx | 2009-08-13 08:21:41 mwtype Conficker BOTS |
NETDIRECT AS
1- Prevent to malicious activities ?
2- Block email traffics ( Users can't send emails with VPN connection )
3- monitoring users activities .
-
08-17-2009, 11:50 AM #2Newbie
- Join Date
- Aug 2009
- Location
- Nashville
- Posts
- 13
To block mail just block all port 25 traffic outbound from your system. As for monitoring, without knowing what your doing and how your setup I can't recommend anything. Any decent firewall solution with AV should pick up and block conficker. If you don't want to buy anything look into running a PFsense install virtually. This would allow some type of monitoring.
-
08-17-2009, 12:04 PM #3WHT Addict
- Join Date
- Aug 2009
- Posts
- 151
-
08-17-2009, 12:18 PM #4WHT Addict
- Join Date
- Aug 2009
- Posts
- 151
About pfsense , I can't install it .
My servers uses debian and centos . And I'm looking a firewall which works as same as pfsense .
Thank you
-
08-17-2009, 01:04 PM #5Newbie
- Join Date
- Aug 2009
- Location
- Nashville
- Posts
- 13
I meant port 25 outbound. They can relay inbound on any non-standard port but in order to send to actual people it would need to connect on port 25. Just do a telnet to 209.85.211.15 (gmail) on port 25, if you can your not blocking outbound SMTP.
Don't know how your network is setup, need to know how your setup if you want a good recommendation. Is this co-lo? VPS? Home?
-
08-18-2009, 10:52 AM #6Web Hosting Guru
- Join Date
- Dec 2004
- Location
- Spain
- Posts
- 255
I do think that you have a bot in your server. The best way ahead is to remove that bot (either by suspending the customer doing that type of activities or by locating the hacker that has installed that on the server and deleting the bot and changing passwords) and after removal reply to your datacenter the actions taken.
as starting point to know about what is going on go here: http://es.wikipedia.org/wiki/Conficker
Regards
QuelComfortHost.NET. Top quality hosting. And a personal touch.
** web hosting ** reseller hosting ** VPS ** Managed Servers **
-
08-18-2009, 11:48 AM #7WHT Addict
- Join Date
- Aug 2009
- Posts
- 151
I block SMTP port by iptables
Code:iptables -I FORWARD 1 -p tcp --dport 25 -j REJECT
For VPN server , we have some servers ( VPS and Dedicated Servers ) and we are using centos or debain
Please advise what should I do for prevent abuse activites and let me know of you have some sugestions on IPtables rules .
Thank you
-
08-18-2009, 12:06 PM #8WHT Addict
- Join Date
- Aug 2009
- Posts
- 151
Similar Threads
-
How to find malicious shell scripts on a server
By hostingvince in forum Hosting Security and TechnologyReplies: 15Last Post: 11-04-2006, 11:44 AM -
How to prevent malicious exploitation of my sendmail.php?
By ivytony in forum Programming DiscussionReplies: 7Last Post: 05-31-2006, 03:39 PM -
How do I keep IRC software and other malicious bots from being uploaded on my server?
By FreeOnlineHost in forum Hosting Security and TechnologyReplies: 18Last Post: 03-07-2006, 08:45 PM -
Illegal activities
By porcupine in forum Dedicated ServerReplies: 73Last Post: 07-29-2002, 01:48 PM