Virtualmin keep sending port 6697 traffic out

Last thursday, my virtualmin with 100 licenses was pnscan, resulted very heavy traffic that no one able to access the server. When I do a ps -ef, saw the pnscan process and aaa process. After I rebooted, both the process gone but I cannot find any pnscan installed in the server. I use the firewall to block port 10000 as I notice it consistently connected to a Ip outside my country where I have no business with. Now I constantly saw port 6697 to a particular IP from the virtualmin . Is there anyway, 1. I can find out which process generate the port6697 out and kill it ? 2. How to find out how pnscan was activated within the virtualmin ?

Status: 
Active

Comments

Howdy -- hmm, it sounds like something else may be going on there, as Virtualmin doesn't have any reason to connect to port 6697, which is IRC.

I'm a bit suspicions of that pnscan and aaa process you mentioned.

Did you happen to keep a copy of all the running processes you saw when you ran the "ps" command?

I'd be curious what userid those processes were running as.

Attached are the image taken at that time where we saw the pnscan and aaaa process . Wish you can advise how we can take futher precaution. If possible , please also advise how to find out how to stop Virtualmin from sending out port 6697.or how to gather information which process generate the port 6697.

I tried to upload the files with the processes at that time with 274KB only ( pdf or img format) but your website keep getting:- "Validation error, please try again. The file you attempted to upload may be too large. If this error persists, please contact the site administrator"

Could you perhaps provide a link to a screenshot? Alternatively, seeing the full output of "ps auxw" would be helpful as well.

I'm not sure how or why Virtualmin would be accessing port 6697, though seeing that process list would be a good place to start.

If there is a firewall in front of your server, you could always configure it to prevent outgoing communication to that port.

Hv already configure firewall to block that port 6697 but wish to attempt to close this from the server. Will do the ps auxw later. At the moment, the previous problem of virtual min is under DOS attack again when we re-open port 10000 for customers to admin their own domain after 3 days. Meanwhile , my guy on the way to data center to see what is wrong.