Has my fedora 18 installation been hacked?
petasisg at yahoo.gr
Fri Mar 15 11:16:11 UTC 2013
I suspect that it is a joomla 1.5.26 exploit. I have found two php files
in the tmp folder of one web site,
and POSTs to them in the apache access log file.
(I know this is an old version of joomla, and I have made the mistake to
make the folders tmp, cache & log writtable by the apache in selinux...)
Thus, I have shutdown the web server, and monitor the server for a few
days, to see if these firewall complains persist.
Στις 15/3/2013 12:20 μμ, ο/η agraham έγραψε:
> First, whois 184.108.40.206
> 220.127.116.11 belongs to a bank in the US https://www.53.com/
> I don't know if it's a real bank or what?
> $ whois 18.104.22.168
> The last part of your ISPs message is interesting because it says:
> "packet length 1400 bytes exceeds configured limit of 512 bytes"
> So something is sending excessively large UDP packets to the bank via
> port 53.
> This may just be DNSSEC EDNS0 protocol which is being blocked by your
> ISP's firewall.
> But in this case, 53.com does not support DNSSEC (never just a bank!)
> It would be good if you could ask your ISP for a packet capture (say
> in pcap format) which you could analyze off line.
> On 03/15/2013 09:05 AM, Georgios Petasis wrote:
>> Hi all,
>> I have a small server that I have recently upgraded to fedora 18. After
>> a while, I got notified by
>> the provider that their firewall catches thousands of requests, with the
>> following error message:
>> *Source IP*: ellogon-SKEL
>> *Source Port*: 35442
>> *Destination IP*: 22.214.171.124
>> *Destination Port*: 53
>> *Description*: Dropped UDP DNS request from dmz:ellogon-SKEL/35442 to
>> outside:126.96.36.199/53; packet length 1400 bytes exceeds configured
>> limit of 512 bytes
>> I have verified all packages (with rpm -Va), and didn't see anything
>> It is strange that the machine is trying to contact a server in USA,
>> isn't it?
>> Is there anything else to do, than re-installing the machine?
>> (Unfortunately, due to the huge load it creates to their firewall, they
>> remove the network cord from the server, so I have a few hours to debug
More information about the users