Checking which domain is sending unwanted http requests to a specific destination

[armin654]

Hello there
I have a CloudLinux OS(installed on a CentOs6.4) and Cpanel installed on it. It is a shared server. I have received a complaint from DATACENTER and they are saying one of my customers is doing attack to a specific website.

I know that i can see outgoing traffic using tools like IFTOP But how to know which of my domains on this server is doing this unwanted outgoing traffic to that victim website (who has complaint about the issue to our datacenter)

Thank you for your care

 

[cPanelMichael]

Hello

You could try reviewing the Apache access logs to see if you can find anything that might help identify the source of the outgoing attack. Were you able to determine the port number associated with the outgoing traffic when using IFTOP? Are you using a firewall management tool such as CSF?

Thank you.

 

[armin654]

Dear michael!
Thank you for your answer. Yes we have already ConfigServer Security & Firewall
But i don't know how to use it for blocking all of the connection to specific destination on a remote location.

My Cpanel is installed on a virtual machine in a hyper-v visualization server. Could you guide me to:
First block all of the connection to the remote IP address of x.x.x.x temporary
and then how to find the website which is doing this kind of activity.

regards

 

[cPanelMichael]

You may want to consider posting to the CSF support forums or reviewing their documentation for help with how to block outgoing connections to a specific IP address.

Thank you.

 

[armin654]

Thank you michael!
I learned this simple IPTABLES rule to block both outgoing traffics with specific string in the HTTP header and also any traffic to any specific destination/IP address:
Block outgoing traffic to specific IP address:
iptables -A OUTPUT -d 1.2.3.4 -j DROP

Block all of outgoing traffics to specific URL:
iptables -A OUTPUT -p tcp -m string --string "URL_HERE" --algo kmp -j DROP


We can also simply write a line in hosts file to redirect any outgoing request to specific destination to be redirected to a null destination.

But my main question is how to find who did this kind of activity.
I need to know which PID is doing this unwanted outgoing traffic. I think it can be done using NETSTAT but don't know how to do it.

regards

 

[quizknows]

You should probably hire someone to fix it if you do not know how.

It's very hard to find these things if they're not currently running. If the attack is ongoing, then run `ps faux` and look for any processes owned by users that are not apache or PHP (I.e. /usr/bin/host, /usr/bin/fakeproc) etc. It should be pretty obvious.

also `lsof -i :80` and look for outbound (not inbound) port 80 connections.

 

[armin654]

Thank you quizknows
I don't want to hire anyone since i want to learn it myself. Thank you for your tips. Sadly the unwanted process is not always active.
I will follow your guide as well. If you know any other great tips please let me know. It can be a reference for others as well.
Best Regards

- - - Updated - - -

Thank you quizknows
I don't want to hire anyone since i want to learn it myself. Thank you for your tips. Sadly the unwanted process is not always active.
I will follow your guide as well. If you know any other great tips please let me know. It can be a reference for others as well.
Best Regards