Strange FTP activity on host

  • Dear,
    I installed the plugin to backup a website to my local NAS/Backup system.
    After the configuration I found in my firewall log a lot of blocked connection.
    I configured the plugin at 10:35:25, before that moment my log was empty.

    Strange thing!!

    All blocked IPs are from Ukraine and are reported as SPAM ip.

    Jun 18 10:35:29 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=52264 PROTO=TCP SPT=54279 DPT=52505 SEQ=2384993447 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:36:07 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=51104 PROTO=TCP SPT=54279 DPT=64411 SEQ=3702202797 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:36:17 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=166.111.8.246 DST=79.32.29.150 LEN=76 TOS=0x00 PREC=0x00 TTL=236 ID=54321 PROTO=TCP SPT=51237 DPT=22 SEQ=3379109281 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0402080AFFFFFFFF0101010103030101220240021E0C00810C0C0C0C0C0C0C0C00000000) 
Jun 18 10:36:25 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=53262 PROTO=TCP SPT=54279 DPT=58493 SEQ=1997810149 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:37:45 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=185.255.31.80 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=9470 PROTO=TCP SPT=45955 DPT=3420 SEQ=2164274228 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:38:07 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=77.72.82.24 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=872 PROTO=TCP SPT=56312 DPT=10842 SEQ=51524772 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:38:30 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=163.172.194.85 DST=79.32.29.150 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=20759 DF PROTO=TCP SPT=62946 DPT=4728 SEQ=2682970590 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402) 
Jun 18 10:39:16 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=188.246.234.62 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=49618 PROTO=TCP SPT=42012 DPT=8443 SEQ=1201994943 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:39:51 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=185.255.31.80 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=58650 PROTO=TCP SPT=45955 DPT=2018 SEQ=1790115694 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:39:54 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=203.195.203.91 DST=79.32.29.150 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=64599 DF PROTO=TCP SPT=43250 DPT=6379 SEQ=3198014146 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405900402080A34CC2E950000000001030307) 
Jun 18 10:40:20 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=78.187.159.164 DST=79.32.29.150 LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=43294 PROTO=TCP SPT=54211 DPT=1433 SEQ=1950462225 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405AC) 
Jun 18 10:40:37 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=37807 PROTO=TCP SPT=54279 DPT=63611 SEQ=1856206402 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:41:15 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=216.98.153.248 DST=79.32.29.150 LEN=43 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=UDP SPT=11211 DPT=11211 LEN=23 
Jun 18 10:42:54 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=185.255.31.80 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=36909 PROTO=TCP SPT=45955 DPT=33396 SEQ=2222985167 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:43:31 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=27.198.135.109 DST=79.32.29.150 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=46602 DF PROTO=TCP SPT=15012 DPT=23 SEQ=3774884291 ACK=0 WINDOW=14120 RES=0x00 SYN URGP=0 OPT (020405840101040201030305) 
Jun 18 10:43:32 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=27.198.135.109 DST=79.32.29.150 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=46603 DF PROTO=TCP SPT=15012 DPT=23 SEQ=3774884291 ACK=0 WINDOW=14120 RES=0x00 SYN URGP=0 OPT (020405840101040201030305) 
Jun 18 10:44:26 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=77.72.82.24 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=10838 PROTO=TCP SPT=56312 DPT=21569 SEQ=2969461633 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:46:39 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=40955 PROTO=TCP SPT=54279 DPT=56784 SEQ=3458817981 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:48:06 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=163.172.194.85 DST=79.32.29.150 LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=25209 DF PROTO=TCP SPT=53358 DPT=4730 SEQ=1796478772 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402) 
Jun 18 10:48:08 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=77.72.82.24 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=20039 PROTO=TCP SPT=56312 DPT=15702 SEQ=3858787975 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:48:14 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=77.72.82.24 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=38723 PROTO=TCP SPT=56312 DPT=12572 SEQ=715963337 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Jun 18 10:49:26 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=46.161.27.244 DST=79.32.29.150 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=10798 PROTO=TCP SPT=54279 DPT=56764 SEQ=3709331972 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Viewing 3 replies - 1 through 3 (of 3 total)

  • Although i don’t think your issue is related to XCloner, are you able to duplicate the issue on another server? If you remove XCloner, do the connections stop?

    Can you give more details on the access logs, are the connections targeting a specific path?

    Thread Starter brambil

    (@brambil)

    Dear.

    I made other 3 tests.

    In the first installation (one you have the log above) I put in the configuration a DDNS (I have a dynamic IP).
    If I remove XCloner connections go on.
    If I change IP and update the DNS the malicious connections start again.

    SO I can assume my DDNS is used to attach.

    I installed XCloner in another WordPress, changed my IP WITHOUT updating DDNS (–> no blocked connection in the log).
    Firstly I configured to use my IP and after 10second my firewall started to block connections.

    Last experiment:
    I registered a new DDNS, configured it in XCloner, every time I change IP and update these new DDNS malicious connections are blocked from my firewall.

    I don’t know what that connections are targeting: they are locked from firewall due to the fact that IPs are in many blacklists.

    It looks like XCloner config is stored also outside from my DB…

    This is the first time i get a report like this, so i will have to look more into it to see what happens.

    XCloner config is being stored in the database, wp_options table, there is no sensitive data that is being kept on the server files.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Strange FTP activity on host’ is closed to new replies.

Tags