Find the answer to your Linux question:
Results 1 to 2 of 2
Gentlements, I have problem, which I'm not able to solve for couple of weeks, so I'm trying community, if someone has some idea. What is the problem about : On ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2010
    Posts
    1

    Monitoring outgoing UDP packets


    Gentlements,
    I have problem, which I'm not able to solve for couple of weeks, so I'm trying community, if someone has some idea. What is the problem about:

    On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p.

    The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack

    I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran.
    I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.

    What I have checked already:
    - outgoing UDP connections are not listed in netstat - so cannot get PID from there
    - Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled
    - I can see tons of records in tcpdump, but from the dump I'm not able to get PID
    - In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker
    - I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured
    - checked the POST records from access log - nothing
    - grepped all php files for keyword 'fsockopen' and 'torrent'
    - from iptables --log-uid I have found user nobody (under apache is ran)

    I think that the key is able to match outgoing connection to PID, than it will be easy.

    I would appriciate any help.

    thank you
    Ondrej

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You could start by logging all packets that are leaving your system.
    Look at the THIS page on logging using iptables.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •