0

I have the following setup Nginx + php-fpm, Nginx is running on port 80 and 443.

Recently I noticed that connections were made from this servers port 80 to a remote machine on port 580x. [ src port is 80 (Nginx) and dst port is 580x]

Has someone seen such an exploit before ? I have checked the Nginx logs, nestat connections, current sessions, secure, messages and audit logs but found nothing interesting.

What I find weird is my Nginx initiating a connection to port 580x on a remote server.

Thanks, Termcap

termcap
  • 31
  • 4
  • Are you sure that the connection was made *from* port 80? If the server is *listening* on this port as you said it is more likely that it was made *to* port 80. Or did you mean that you observed packets from port 80 flowing to port 580x, which is not the same as a connection getting established in this direction. Could you please provide the exact details of what happened instead of only your interpretation of it? – Steffen Ullrich Sep 26 '21 at 19:26
  • 1
    @SteffenUllrich Yes, the netwflow data shows the source port as 80 and Destination port as 580x. This was also alerted in our SIEM as outbound VNC connection. Other abnormality here is that if Nginx received a connection on port 80 to which it responded to, there should be access log entries and I found none. So that is why I have excluded it as an incoming connection being responded to. Infact I have not found the remote IP in any of my logs. – termcap Sep 26 '21 at 19:53

0 Answers0