Monitoring outgoing UDP packets

[svoon]

Gentlements,
I have problem, which I'm not able to solve for couple of weeks, so I'm trying community, if someone has some idea. What is the problem about:

On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p.

The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack

I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran.
I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.

What I have checked already:
- outgoing UDP connections are not listed in netstat - so cannot get PID from there
- Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled
- I can see tons of records in tcpdump, but from the dump I'm not able to get PID
- In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker
- I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured
- checked the POST records from access log - nothing
- grepped all php files for keyword 'fsockopen' and 'torrent'
- from iptables --log-uid I have found user nobody (under apache is ran)

I think that the key is able to match outgoing connection to PID, than it will be easy.

I would appriciate any help.

thank you
Ondrej

[Lazydog]

You could start by logging all packets that are leaving your system.
Look at the THIS page on logging using iptables.