Security Issue - Rootkit

[mattclements]

Hello all,

Our dedicated server was suspended for a short time today with the following security log (switch traffic) issues. I added a firewall rule to get this sorted for now however does anybody have any idea what this could be?

 

06:11:04.017603 IP x.x.x.x.52218 > y.y.y.y.110: UDP, length 15

 

?

 

Regards,

Matt

[Pikachu2000]

Not 100% certain, but it appears to be mail related. Is your mail server set up as an open relay, perchance? Do you have any contact forms that haven't been protected against email header injection?

[divinequran]

Hi,

 

I am curious to know about the problem, have you found what the issue is?

[j.smith1981]

It looks to me like someones been trying to get into the POP3 service as POP3 works on port 110.

 

But on UDP (standing for of course User Datagram Protocol) connectionless network protocol good for media streaming but rubbish for sending over complete documents over any kind of network, as you would very often get (if not all the time) corrupted data on the receiving end (in this case being emails of course).

 

I would being that I have spent some time in working on PHP sockets would say you would be wise to block all UDP traffic to port 110, but does anyone know if POP3 uses UDP? I am not 100% sure as it could stop you receiving emails, I am not too sure.

 

I mean I have never looked out for POP3 using UDP but never seen it being used on my router (from what I can remember of course) which keeps track of all current states of my own network which houses my own small based server.

 

Hope this helps anyways,

Jeremy.

[Pikachu2000]

This thread is approaching a year old, in case you hadn't noticed.

[j.smith1981]

Yea I just thought I would tell anyone that has had the same problem that's all