Server Cycling through ports trying to connect to client.

[PointsWell]

My server output periodically shows the server attempting via activemq to connect to a server in Brisbane 45.248.77.245

Is this just me? It doesn't appear to be any service that I have called (consciously). They are all private ports...

Code: Select all

2018-08-30 10:55:33,486 org.apache.activemq.broker.TransportConnection.Transport  -Transport Connection to: tcp://45.248.77.245:60074 failed: org.apache.activemq.transport.InactivityIOException: Channel was inactive for too (>30000) long: tcp://45.248.77.245:60074
2018-08-30 10:55:34,732 org.apache.activemq.broker.TransportConnection.Transport  -Transport Connection to: tcp://45.248.77.245:60075 failed: org.apache.activemq.transport.InactivityIOException: Channel was inactive for too (>30000) long: tcp://45.248.77.245:60075
2018-08-30 10:58:35,086 org.apache.activemq.broker.TransportConnection.Transport  -Transport Connection to: tcp://45.248.77.245:63410 failed: org.apache.activemq.transport.InactivityIOException: Channel was inactive for too (>30000) long: tcp://45.248.77.245:63410
2018-08-30 11:01:38,581 org.apache.activemq.broker.TransportConnection.Transport  -Transport Connection to: tcp://45.248.77.245:64164 failed: org.apache.activemq.transport.InactivityIOException: Channel was inactive for too (>30000) long: tcp://45.248.77.245:64164
2018-08-30 11:07:09,440 org.apache.activemq.broker.TransportConnection.Transport  -Transport Connection to: tcp://45.248.77.245:64854 failed: org.apache.activemq.transport.InactivityIOException: Channel was inactive for too (>30000) long: tcp://45.248.77.245:64854

[BenHayat]

Once you get to the bottom of this, please share with us. Does the app run slow? it seems like each timeout takes 30 seconds, before the next try.

[PointsWell]

Once you get to the bottom of this, please share with us. Does the app run slow? it seems like each timeout takes 30 seconds, before the next try.

Haven't noticed it running before it was just because the server was idle that it showed up (when the server is running I suspect it disappears into a whole bunch of annoying mySQL warnings).

And a whois doesn't show much information about the server.

[Jaymer]

I ALWAYS have my Server Output open and monitored.
Never seen anything like that.

[customaware]

Have you run a Penetration Test against the server.

I recently used https://pentest-tools.com which runs quite an extensive set of vulnerability tests (26) and gives you 500 credits for 45 bucks.

Revealed some very interesting stuff that I have since fixed by updating some of the configuration in the Tomcat conf files... server.xml and web.xml.

With TC 8.5 now some of the old configuration is deprecated and you need to add some of the new stuff manually.

By an large, my Aware server faired pretty well but I am glad to close the few last potential gaps.

[himanshu]

Have you run a Penetration Test against the server.

I recently used https://pentest-tools.com which runs quite an extensive set of vulnerability tests (26) and gives you 500 credits for 45 bucks.

Revealed some very interesting stuff that I have since fixed by updating some of the configuration in the Tomcat conf files... server.xml and web.xml.

With TC 8.5 now some of the old configuration is deprecated and you need to add some of the new stuff manually.

By an large, my Aware server faired pretty well but I am glad to close the few last potential gaps.

Thanks for sharing stuff Mark, if there is some info which you can share with the community to keep our server safe would be nice. I will also give a try to the above tool.

[PointsWell]

Have you run a Penetration Test against the server.

I recently used https://pentest-tools.com which runs quite an extensive set of vulnerability tests (26) and gives you 500 credits for 45 bucks.

Revealed some very interesting stuff that I have since fixed by updating some of the configuration in the Tomcat conf files... server.xml and web.xml.

With TC 8.5 now some of the old configuration is deprecated and you need to add some of the new stuff manually.

By an large, my Aware server faired pretty well but I am glad to close the few last potential gaps.

Will have a look at this, but for my issue the call is coming from inside the house

[customaware]

That is EXACTLY my point.

Possible someone has been in there and doing their own thing.

[PointsWell]

That is EXACTLY my point.

Possible someone has been in there and doing their own thing.

Hmm interesting...

There is a weird access log called myfirstapp_access_log.txt and in it are a bunch of attempts to access from 45.248.77.204

[BenHayat]

Will have a look at this, but for my issue the call is coming from inside the house

I think you may have ghost in the house.

[PointsWell]

So I identified myself in the logs unsurprisingly, I don't need to keep my own stupidity on show here.

[customaware]

The DNS records look awfully suspicious....


45.248.77.204 SOA 1799 ns1.r4ns.com [email protected] 1535587200 10800 3600 604800 3600

ransonit.com.au !!!

[PointsWell]

You know when you are so tired you can’t remember your name.

Well if you use a well known VPN and select an Australian server, then the IP address will be in the range 45.248.77.nnn, and AIM working as it should shows me in the logs. That would explain the highly specific access of AwareIM folders.

But it doesn’t explain the server making calls to the IP address and cycling through a series of ports.

I’m going to go and drink some very nice whisky now and lie quietly in a darkened room.