Server infected or something?

In just a day or two after I installed NewRelic, I noticed that there are few external requests that I think my apps didn’t initiate. It appears on NewRelic dashboard and I’m kinda worried that my server might be infected with some malicious scripts or even rootkits. For now, I’m currently investigation the issue.

UPDATE: I’ve found out that there is no security issue but rather a normal WordPress activity. More details at the bottom of the post.

I have just installed NewRelic 2 days ago. When I first saw the external requests report, I initially thought that they were due to my proxy tunneling activity. However, when I purged the data and restart capturing stats, the same unexpected external calls appears.

See below report:

Server infected? Yes?
Server infected? Yes?

I’ll update the post when I found out something later.

UPDATE: I did several security checks and even install stuff like rkhunter, chkrootkit, clamav and other anti-virus and anti-root kit software but all of them didn’t find anything. After several hours, I revisited the issue and dig deeper.

When I accidentally clicked the link that brought me to the details of the external call (in New Relic dashboard), it shows the script filename which initiates the call. It was the xmlrpc.php. It is the script that handles communication between blogs or sites that supports features pingback, trackback and the like.

Now I could sleep sound tonight.

Leave a reply

Your email address will not be published. Required fields are marked *