SYN_SENT in wflogs/[filename].php
-
Hello, my hosting provider notifies me that earlier today they received several emails from their system containing the following:
lsphp 255641 username cwd DIR 253,0 4096 17015496 /home/username/website/wp-admin
lsphp 255641 username 7u REG 253,0 51 21152705 /home/username/website/wp-content/wflogs/ips.php
lsphp 255641 username 8u REG 253,0 560 21152784 /home/username/website/wp-content/wflogs/config.php
lsphp 255641 username 9u REG 253,0 40083 21112604 /home/username/website/wp-content/wflogs/attack-data.php
lsphp 255641 username 10u REG 253,0 14218 21116318 /home/username/website/wp-content/wflogs/config-synced.php (deleted)
lsphp 255641 username 11u REG 253,0 37889 21112666 /home/username/website/wp-content/wflogs/config-livewaf.php
lsphp 255641 username 12u REG 253,0 1545298 21153461 /home/username/website/wp-content/wflogs/config-transient.php
lsphp 255641 username 14u IPv4 2263568748 0t0 TCP localhost:40946->localhost:memcache (SYN_SENT)
lsphp 257665 username cwd DIR 253,0 4096 17016270 /home/username/website
lsphp 257665 username 7u REG 253,0 51 21152705 /home/username/website/wp-content/wflogs/ips.php
lsphp 257665 username 8u REG 253,0 560 21152784 /home/username/website/wp-content/wflogs/config.php
lsphp 257665 username 9u REG 253,0 40083 21112604 /home/username/website/wp-content/wflogs/attack-data.php
lsphp 257665 username 10u REG 253,0 14218 21112680 /home/username/website/wp-content/wflogs/config-synced.php (deleted)
lsphp 257665 username 11u REG 253,0 37889 21112666 /home/username/website/wp-content/wflogs/config-livewaf.php
lsphp 257665 username 12u REG 253,0 1545298 21153461 /home/username/website/wp-content/wflogs/config-transient.php
lsphp 257665 username 14u IPv4 2263561840 0t0 TCP localhost:40924->localhost:memcache (SYN_SENT)
lsphp 265986 username cwd DIR 253,0 4096 17016270 /home/username/website
lsphp 265986 username 7u REG 253,0 51 21152705 /home/username/website/wp-content/wflogs/ips.php
lsphp 265986 username 8u REG 253,0 560 21152784 /home/username/website/wp-content/wflogs/config.php
lsphp 265986 username 9u REG 253,0 40083 21112604 /home/username/website/wp-content/wflogs/attack-data.php
lsphp 265986 username 10u REG 253,0 14216 21116535 /home/username/website/wp-content/wflogs/config-synced.php (deleted)
lsphp 265986 username 11u REG 253,0 37889 21112666 /home/username/website/wp-content/wflogs/config-livewaf.php
lsphp 265986 username 12u REG 253,0 1545298 21153461 username/wp-content/wflogs/config-transient.php
lsphp 265986 username 14u IPv4 2263533408 0t0 TCP localhost:40930->localhost:memcache (SYN_SENT)These notifications are sent by their firewall to indicate that it has blocked its service because it is making anomalous connections, of type SYN_SENT, which are usually attributable to outward DDoS attacks.
If the firewall performs this type of action, it means that something abnormal or “different than usual” is being performed.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- You must be logged in to reply to this topic.
