Ran lsof, looks like writefreely is compromised by malware

this does not make me glad. how did this happen and how does one fix? thanks :slight_smile:

i ran netstat napt and found some weird stuff, unrecognized addresses, and then ran lsof and wheee. yuck.

someone help me with this please. thank you much.


Let’s ping @help.

1 Like

thanks Paolo. would love some help with this, I hate having to keep my blog offline.

I’m not sure what to make of this without knowing more about what that command does. Are these just attempted connections to your server? Do you have a firewall installed?

1 Like

lsof is “list of open files.”

I do have iptables, running, and fail2ban.

I am not running anything with traderfex.com in my server, at all - and when checking stuff with netstat, it shows that writefreely has connected from traderfex.com to some external server. so thats weird.

i’m spinning up the WF instance on cron just now and will keep an eye on it.

The hostnames reported by lsof are obtained from reverse DNS, so the names might not have anything to do with the actual connection being made. The actual connection is between IP addresses; lsof has to try to look up what names are associated with those addresses.

For instance, if I connect to my web server using my domain name and use lsof, the connection will show up as a hostname belonging to the server provider, rather than the name I connected to.

So, it could be that it’s a completely innocent connection involving some system that happens to share an IP address with traderfex.com. My guess would be that the server you’re installing WriteFreely on shares an IP address with mail.traderfex.com, perhaps because it’s a VPS system?

Ping your server, ping mail.traderfex.com, see if they have the same IP.

1 Like