Server hacked and I now question some ethernet activity
My 10.6 snow leopard server was hacked and apparently was sending out emails according to my ISP.
I turned off the mySQL server and then shut down two hacker IP addresses using the Firewall. These actions settled the server back down.
The next day I restarted the mySQL server and did not notice any issue with processor usage.
I found the NTP hack issue and turned off the automatic time function. So the network time process is OFF.
Now, in the aftermath, I am left with some curious Ethernet IP activity I don't believe is NORMAL??
I have a virtual web server with 27 web sites and an address that ends in .29.
I have a second IP address on the server ending in .25.
Curiously, this second IP results in a massive amount of traffic NOW being denied. Sometimes the dynamic rules hit 800+ and is all related to this IP.
Traffic looks like this "STATE UDP IPaddress25 port 50318 <-> to DNS port 53"
as in "(9s) STATE udp 50.78.225.25 50318 <-> 75.75.75.75 53"
It seems like this Ethernet port is cycling through Port numbers 49000 and above, which are UDP private ports and has the traffic gone to a DNS IP.
The Firewall action is DENY and it cycles up with a high amount of activity and then dies back down.
Since I am not using safari, etc. this doesn't seem reasonable to me and I have the feeling something has been dumped onto the server.
ANY THOUGHTS WOULD BE APPRECIATED.
THANKS,
Ed