My wordpress EC2 server was probably hacked. When running iftop
command I can see that my server sends and recieves data from a hostname name "i157panamamails.com".
This hostname never goes away and eating lots of bandwidth. I want to prevent the server from communicating with this hostname and deny it completely. I tried putting a deny from
in the .htaccess and restart the Apache2 server (using Ubuntu 10.0), but it didn't help, I an still see that hostname connection active. Maybe the connection is not from Apache2, but from what I know this is the only server installed.
How can I prevent the server to deny this hostname?
More info:
-
in
etc/hosts
I have only 127.0.0.1 -
in etc/resolve.conf I have:
nameserver [some_ip_address] <— this IP is for EC2, so not problem here
domain ec2.internal
search ec2.internal
-
The IP in the resolve.conf doesn't resolve to host name
-
Using lsof command on port 22/21/80 Can't find the host name in the connections. Port 21 has one connection for root user listening, but port 21 is not open in EC2 security groups and port 443 (HTTPS) has no connections
-
It seems that the connection is not on port 80 of apache because lsof shows only my connection at a specific time frame and I see the connection for that hostname still active in the network print. I assume that another software that acts as a server might initialize that connection on an already open port 80 that is not related to Apache
-
Running NetHogs on eth0 shows me that a program sshd: ubuntu@pts1 under user
ubuntu
which is continuously receiving and sending data (not Apache2). Looks suspicious -
I also notice a lot of connection (~50) from a PROGRAM 37:80-[ip_addresses] on port 80 and other ports. Those PROGRAM(s) do not send or receive data (most of them)
-
Blocking the hostname in the host.deny didn't help
Update:
I've find out the IP and blocked it in IPtables (both OUTPUT and INPUT). The IP server doesn't send data to that IP, but it dos receives a 240 bytes every second or so.
Best Answer
Okay, first of all you can run tcpdump on your server to analyze traffic.
Then you can read from this file with command:
or download it your computer and check it with wireshark.
Also you can use iptables to log all of your outgoing traffic(here is rule):
By default log of this traffic will be in /var/log/kern.log.
Also you can run iftop with flag -n which will prevent iftop from doing hostname lookups.
Quote from manpages of iftop:
If you are sure that you got some kind of shell or malware, then you can try use maldet or ai-bolit to check for malware in apache's directories.