The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Checking which domain is sending unwanted http requests to a specific destination

Discussion in 'Security' started by armin654, Mar 17, 2014.

  1. armin654

    armin654 Well-Known Member

    Joined:
    Feb 12, 2014
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello there
    I have a CloudLinux OS(installed on a CentOs6.4) and Cpanel installed on it. It is a shared server. I have received a complaint from DATACENTER and they are saying one of my customers is doing attack to a specific website.

    I know that i can see outgoing traffic using tools like IFTOP But how to know which of my domains on this server is doing this unwanted outgoing traffic to that victim website (who has complaint about the issue to our datacenter)

    Thank you for your care
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You could try reviewing the Apache access logs to see if you can find anything that might help identify the source of the outgoing attack. Were you able to determine the port number associated with the outgoing traffic when using IFTOP? Are you using a firewall management tool such as CSF?

    Thank you.
     
  3. armin654

    armin654 Well-Known Member

    Joined:
    Feb 12, 2014
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Dear michael!
    Thank you for your answer. Yes we have already ConfigServer Security & Firewall
    But i don't know how to use it for blocking all of the connection to specific destination on a remote location.

    My Cpanel is installed on a virtual machine in a hyper-v visualization server. Could you guide me to:
    First block all of the connection to the remote IP address of x.x.x.x temporary
    and then how to find the website which is doing this kind of activity.

    regards
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to consider posting to the CSF support forums or reviewing their documentation for help with how to block outgoing connections to a specific IP address.

    Thank you.
     
  5. armin654

    armin654 Well-Known Member

    Joined:
    Feb 12, 2014
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thank you michael!
    I learned this simple IPTABLES rule to block both outgoing traffics with specific string in the HTTP header and also any traffic to any specific destination/IP address:
    Block outgoing traffic to specific IP address:
    iptables -A OUTPUT -d 1.2.3.4 -j DROP

    Block all of outgoing traffics to specific URL:
    iptables -A OUTPUT -p tcp -m string --string "URL_HERE" --algo kmp -j DROP


    We can also simply write a line in hosts file to redirect any outgoing request to specific destination to be redirected to a null destination.

    But my main question is how to find who did this kind of activity.
    I need to know which PID is doing this unwanted outgoing traffic. I think it can be done using NETSTAT but don't know how to do it.

    regards
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You should probably hire someone to fix it if you do not know how.

    It's very hard to find these things if they're not currently running. If the attack is ongoing, then run `ps faux` and look for any processes owned by users that are not apache or PHP (I.e. /usr/bin/host, /usr/bin/fakeproc) etc. It should be pretty obvious.

    also `lsof -i :80` and look for outbound (not inbound) port 80 connections.
     
  7. armin654

    armin654 Well-Known Member

    Joined:
    Feb 12, 2014
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thank you quizknows
    I don't want to hire anyone since i want to learn it myself. Thank you for your tips. Sadly the unwanted process is not always active.
    I will follow your guide as well. If you know any other great tips please let me know. It can be a reference for others as well.
    Best Regards

    - - - Updated - - -

    Thank you quizknows
    I don't want to hire anyone since i want to learn it myself. Thank you for your tips. Sadly the unwanted process is not always active.
    I will follow your guide as well. If you know any other great tips please let me know. It can be a reference for others as well.
    Best Regards
     
Loading...

Share This Page