On 04/11/15 11:59, Marikkannan Rajagopal wrote: > Dear All., > > I am facing the issue on live server and the live server is in > "CENTOS",some malicious hit is going out of my server through the port > number 53 and even though I ran too many too like rkhunter,etc. But I > didn't found the malicious file or output from my server itself. > > And the host name is consider as malicious is "irc.nets.hk",and > it doesn't have any valid ipaddress.,and result of this my cloud provider > DNS blocked my server ip. > > Can I block the port number 53 in my server itself (both > outgoing/incoming ).,and I didn't use the port number 53 for my application. > > I can see the output only through "tcpdump on the specfic port > 53" > > Results: > > 11:46:37.568099 IP 119.19.44.31.48427 > > 119.19.60.62.53: 14465+ A? irc.nets.hk. (29) > 11:46:40.707735 IP 119.19.44.31.58955 > 119.19.60.63.53: 1919+ A? > irc.nets.hk. (45) > 11:46:45.712962 IP 119.19.44.31.57951 > 119.19.60.62.53: 1919+ A? > irc.nets.hk. (45) > 11:46:48.718333 IP 119.19.44.1.39769 > 119.19.60.63.53: 15764+ A? > irc.nets.hk. (29) > > But I didn't get any results on my netstat and isof., > > Kindly share difference between tcpdump and netstat > > Through Iptables we have block the port number 53 ? Is it > possible on OS level ? > > Blocking of port 53 make any issue on server because I am using > port 22,25,80 and 443. > > What actually the port 53 do in default server's. Looks like a DNS request. If you block outgoing port 53 you will likely not be able to resolve DNS.
Did your provider tell you in detail why they blocked your access to their DNS? You could try running suricata on your host to see if it tells you more about suspicious network activity. http://suricata-ids.org/ HTH Vik -- Founder - Hamara Linux www.hamaralinux.org www.twitter.com/hamaralinux _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ILUGC Mailing List Guidelines: http://ilugc.in/mailinglist-guidelines
