On Wed, Nov 4, 2015 at 5:29 PM, Marikkannan Rajagopal
<mail2marikkannan at gmail.com> wrote:
Dear All.,
I am facing the issue on live server and the live server is in
"CENTOS",some malicious hit is going out of my server through the port
number 53 and even though I ran too many too like rkhunter,etc. But I
didn't found the malicious file or output from my server itself.
And the host name is consider as malicious is "irc.nets.hk",and
it doesn't have any valid ipaddress.,and result of this my cloud provider
DNS blocked my server ip.
Can I block the port number 53 in my server itself (both
outgoing/incoming ).,and I didn't use the port number 53 for my application.
I can see the output only through "tcpdump on the specfic port
53"
Results:
11:46:37.568099 IP 119.19.44.31.48427 >
119.19.60.62.53: 14465+ A? irc.nets.hk. (29)
11:46:40.707735 IP 119.19.44.31.58955 > 119.19.60.63.53: 1919+ A?
irc.nets.hk. (45)
11:46:45.712962 IP 119.19.44.31.57951 > 119.19.60.62.53: 1919+ A?
irc.nets.hk. (45)
11:46:48.718333 IP 119.19.44.1.39769 > 119.19.60.63.53: 15764+ A?
irc.nets.hk. (29)
But I didn't get any results on my netstat and isof.,