rhel 8.10 server possibly being used for dns query
by vinmansbrew from LinuxQuestions.org on (#6NMW9)
I have a rhel 8.10 server, and it appears it may be getting used to make dns requests, for another, outside, IP.
It's a wordpress server. Server is fully updated, both OS and wordpress.
I have an app called darktrace, and it is alerting with this message:
wordpress server.com breached Antigena/Network/Significant Anomaly/Antigena Significant Anomaly from Server Block
wordpress site.com made a successful DNS request for ns3088854.ip-217-182-175.eu to dns server [53]
How would I look for this? I've never come across this before.
I've tried setting firewalld to drop anything but allowed connections.
I ran maldet and rkhunter, neither found anything, of course that doesn't always mean anything.
The server works ok, till this detection is made, then the wordpress site times out, and I cannot ssh to the server. I have to be at a direct terminal.
Suggestions welcome
It's a wordpress server. Server is fully updated, both OS and wordpress.
I have an app called darktrace, and it is alerting with this message:
wordpress server.com breached Antigena/Network/Significant Anomaly/Antigena Significant Anomaly from Server Block
wordpress site.com made a successful DNS request for ns3088854.ip-217-182-175.eu to dns server [53]
How would I look for this? I've never come across this before.
I've tried setting firewalld to drop anything but allowed connections.
I ran maldet and rkhunter, neither found anything, of course that doesn't always mean anything.
The server works ok, till this detection is made, then the wordpress site times out, and I cannot ssh to the server. I have to be at a direct terminal.
Suggestions welcome