Results 1 to 8 of 8
  1. #1

    Help me for prevent malicious activities on my server

    Hello ,

    I'm VPN provider and we recevied warning from my datacenter for malicious activities .

    This is abuse report that showing that my server
    is doing malicious activities:
    28753 | 89.1xx.xxx.xx | 2009-08-12 04:15:26 mwtype Conficker BOTS |
    NETDIRECT AS
    28753 | 89.1xx.xxx.xx | 2009-08-12 04:16:31 mwtype Conficker BOTS |
    NETDIRECT AS
    28753 | 89.1xx.xxx.xx | 2009-08-12 05:51:42 mwtype Conficker BOTS |
    NETDIRECT AS
    28753 | 89.1xx.xxx.xx | 2009-08-12 05:51:53 mwtype Conficker BOTS |
    NETDIRECT AS
    28753 | 89.1xx.xxx.xx | 2009-08-12 05:55:40 mwtype Conficker BOTS |
    NETDIRECT AS
    28753 | 89.1xx.xxx.xx | 2009-08-13 08:21:41 mwtype Conficker BOTS |
    NETDIRECT AS
    Please advise me , Is there any Firewall/monitoring system that:
    1- Prevent to malicious activities ?
    2- Block email traffics ( Users can't send emails with VPN connection )
    3- monitoring users activities .

  2. #2
    Join Date
    Aug 2009
    Location
    Nashville
    Posts
    13
    To block mail just block all port 25 traffic outbound from your system. As for monitoring, without knowing what your doing and how your setup I can't recommend anything. Any decent firewall solution with AV should pick up and block conficker. If you don't want to buy anything look into running a PFsense install virtually. This would allow some type of monitoring.

  3. #3
    Quote Originally Posted by nolimitsoldier View Post
    To block mail just block all port 25 traffic outbound from your system. As for monitoring, without knowing what your doing and how your setup I can't recommend anything. Any decent firewall solution with AV should pick up and block conficker. If you don't want to buy anything look into running a PFsense install virtually. This would allow some type of monitoring.

    Already we have closed the SMTP port . but some users can send emails with unstandard ports and we get abuse report that unwanted bulk email sent from the server

  4. #4
    About pfsense , I can't install it .
    My servers uses debian and centos . And I'm looking a firewall which works as same as pfsense .

    Thank you

  5. #5
    Join Date
    Aug 2009
    Location
    Nashville
    Posts
    13
    I meant port 25 outbound. They can relay inbound on any non-standard port but in order to send to actual people it would need to connect on port 25. Just do a telnet to 209.85.211.15 (gmail) on port 25, if you can your not blocking outbound SMTP.

    Don't know how your network is setup, need to know how your setup if you want a good recommendation. Is this co-lo? VPS? Home?

  6. #6
    Join Date
    Dec 2004
    Location
    Spain
    Posts
    255
    I do think that you have a bot in your server. The best way ahead is to remove that bot (either by suspending the customer doing that type of activities or by locating the hacker that has installed that on the server and deleting the bot and changing passwords) and after removal reply to your datacenter the actions taken.

    as starting point to know about what is going on go here: http://es.wikipedia.org/wiki/Conficker

    Regards

    Quel
    ComfortHost.NET. Top quality hosting. And a personal touch.
    ** web hosting ** reseller hosting ** VPS ** Managed Servers **

  7. #7
    Quote Originally Posted by nolimitsoldier View Post
    I meant port 25 outbound. They can relay inbound on any non-standard port but in order to send to actual people it would need to connect on port 25. Just do a telnet to 209.85.211.15 (gmail) on port 25, if you can your not blocking outbound SMTP.

    Don't know how your network is setup, need to know how your setup if you want a good recommendation. Is this co-lo? VPS? Home?

    I block SMTP port by iptables
    Code:
    iptables -I FORWARD 1 -p tcp --dport 25 -j REJECT
    We installed PPTP and OpenVPN only and There isn't another service ( like Apache , MySQL , ... )

    For VPN server , we have some servers ( VPS and Dedicated Servers ) and we are using centos or debain

    Please advise what should I do for prevent abuse activites and let me know of you have some sugestions on IPtables rules .

    Thank you

  8. #8
    Quote Originally Posted by Quel View Post
    I do think that you have a bot in your server. The best way ahead is to remove that bot (either by suspending the customer doing that type of activities or by locating the hacker that has installed that on the server and deleting the bot and changing passwords) and after removal reply to your datacenter the actions taken.

    Regards

    Quel
    I don't have any idea for scan and remove bots

Similar Threads

  1. How to find malicious shell scripts on a server
    By hostingvince in forum Hosting Security and Technology
    Replies: 15
    Last Post: 11-04-2006, 11:44 AM
  2. How to prevent malicious exploitation of my sendmail.php?
    By ivytony in forum Programming Discussion
    Replies: 7
    Last Post: 05-31-2006, 03:39 PM
  3. How do I keep IRC software and other malicious bots from being uploaded on my server?
    By FreeOnlineHost in forum Hosting Security and Technology
    Replies: 18
    Last Post: 03-07-2006, 08:45 PM
  4. Illegal activities
    By porcupine in forum Dedicated Server
    Replies: 73
    Last Post: 07-29-2002, 01:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •