Litespeed open second UDP port automatically without notification?

Discussion in 'General' started by local@work, May 17, 2018.

  1. local@work

    local@work New Member

    Hello,
    I have litespeed and yesterday from chkrootkit I see that:

    Code:
    Checking `bindshell'... INFECTED (PORTS:  465 45454)
    I have cPanel and the notice of the port 465 it's ok. It's the first time that chkrootkit alert me for one other port. The port 45454! After research I can't find this particular port (thing litespeed listen to another again) but instead I find litespeed run with a second PID process to a similar UDP port!!
    See below:
    Code:
    lsof -i :41733
    COMMAND     PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
    litespeed 14871 nobody   77u  IPv4 yyyyyyyyy      0t0  UDP *:41733
    lsof -i :7080
    COMMAND     PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
    litespeed 14867   root   44u  IPv4 xxxxxxxxx      0t0  TCP *:7080 (LISTEN)
    litespeed 14871 nobody   44u  IPv4 xxxxxxxxx      0t0  TCP *:7080 (LISTEN)
    Code:
    udp 0 0 0.0.0.0:41733 0.0.0.0:* 0 yyyyyyyyy  14871/litespeed (ls
    Also I have Quic UDP ports 443 allow to my csf firewall.

    Is possible something malicious run with litespeed? I have cPanel and I made all the steps for litespeed from your docs... I have also comodo modsecurity litespeed rule set enable and everything...

    Why litespeed open ports UDP?
     
    Last edited: May 17, 2018
  2. mistwang

    mistwang LiteSpeed Staff

    The random UDP port is likely opened by the Asynchronize DNS resolver library used in the server. It should not cause any security issue. see if we can turn it off.
    it has nothing to do with QUIC.
     
  3. local@work

    local@work New Member

    Hello,
    So it's nothing to worry about it as UDP random ports are open (for security reasons)?
    Also if in the csf I don't have those ports it's possible be useless?
    Thank you.
     
  4. mistwang

    mistwang LiteSpeed Staff

    Yes, no worry.
    If csf block UDP outgoing, it could block the DNS query.
     

Share This Page