Ubuntu – Deny connection to and from a specific hostname on Ubuntu/Apache2

My wordpress EC2 server was probably hacked. When running iftop command I can see that my server sends and recieves data from a hostname name "i157panamamails.com".

This hostname never goes away and eating lots of bandwidth. I want to prevent the server from communicating with this hostname and deny it completely. I tried putting a deny from in the .htaccess and restart the Apache2 server (using Ubuntu 10.0), but it didn't help, I an still see that hostname connection active. Maybe the connection is not from Apache2, but from what I know this is the only server installed.

How can I prevent the server to deny this hostname?

More info:

in etc/hosts I have only 127.0.0.1
in etc/resolve.conf I have:

nameserver [some_ip_address] <— this IP is for EC2, so not problem here

domain ec2.internal

search ec2.internal
The IP in the resolve.conf doesn't resolve to host name
Using lsof command on port 22/21/80 Can't find the host name in the connections. Port 21 has one connection for root user listening, but port 21 is not open in EC2 security groups and port 443 (HTTPS) has no connections
It seems that the connection is not on port 80 of apache because lsof shows only my connection at a specific time frame and I see the connection for that hostname still active in the network print. I assume that another software that acts as a server might initialize that connection on an already open port 80 that is not related to Apache
Running NetHogs on eth0 shows me that a program sshd: ubuntu@pts1 under user ubuntu which is continuously receiving and sending data (not Apache2). Looks suspicious
I also notice a lot of connection (~50) from a PROGRAM 37:80-[ip_addresses] on port 80 and other ports. Those PROGRAM(s) do not send or receive data (most of them)
Blocking the hostname in the host.deny didn't help

Update:
I've find out the IP and blocked it in IPtables (both OUTPUT and INPUT). The IP server doesn't send data to that IP, but it dos receives a 240 bytes every second or so.

Best Answer

Okay, first of all you can run tcpdump on your server to analyze traffic.

tcpdump -s 65535 -w ~/traffic_capture.pcap

Then you can read from this file with command:

tcpdump -vv -r ~/traffic_capture.pcap

or download it your computer and check it with wireshark.

Also you can use iptables to log all of your outgoing traffic(here is rule):

iptables -A OUTPUT -j LOG

By default log of this traffic will be in /var/log/kern.log.

Also you can run iftop with flag -n which will prevent iftop from doing hostname lookups.

Quote from manpages of iftop:

   By  default, iftop will look up the hostnames associated with addresses
   it finds in packets. This can cause substantial traffic of itself,  and
   may  result in a confusing display. You may wish to suppress display of
   DNS traffic by using filter code such as not port domain, or switch  it
   off  entirely, by using the -n option or by pressing r when the program
   is running.

If you are sure that you got some kind of shell or malware, then you can try use maldet or ai-bolit to check for malware in apache's directories.

Best Answer

Related Solutions

Ubuntu – ServerName not working in Apache2 and Ubuntu

Ubuntu+Apache2 – Not allowing outside connection

Related Topic