Dear All.,
I am facing the issue on live server and the live server is in
"CENTOS",some malicious hit is going out of my server through the port
number 53 and even though I ran too many too like rkhunter,etc. But I
didn't found the malicious file or output from my server itself.
And the host name is consider as malicious is "irc.nets.hk",and
it doesn't have any valid ipaddress.,and result of this my cloud provider
DNS blocked my server ip.
Can I block the port number 53 in my server itself (both
outgoing/incoming ).,and I didn't use the port number 53 for my application.
I can see the output only through "tcpdump on the specfic port
53"
Results:
11:46:37.568099 IP 119.19.44.31.48427 >
119.19.60.62.53: 14465+ A? irc.nets.hk. (29)
11:46:40.707735 IP 119.19.44.31.58955 > 119.19.60.63.53: 1919+ A?
irc.nets.hk. (45)
11:46:45.712962 IP 119.19.44.31.57951 > 119.19.60.62.53: 1919+ A?
irc.nets.hk. (45)
11:46:48.718333 IP 119.19.44.1.39769 > 119.19.60.63.53: 15764+ A?
irc.nets.hk. (29)
But I didn't get any results on my netstat and isof.,
Kindly share difference between tcpdump and netstat
Through Iptables we have block the port number 53 ? Is it
possible on OS level ?
Blocking of port 53 make any issue on server because I am using
port 22,25,80 and 443.
What actually the port 53 do in default server's.
Thanks in advance.
--
Thanks & Regards,
Marikkannan
