The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Problem? How To Track User Traffic?

Discussion in 'Security' started by bmcpanel, Sep 3, 2004.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    When I check my server logs, at the time I see a spike in traffic, I see this in the logs....

    3 2004-09-03 01:51:13.557249 111.111.111.111 -> 222.222.222.222 UDP Source port: 36482 Destination port: 80

    Where "111.111.111.111" is my server IP and 222.222.222.222 is a destination IP. The listing is listed over and over again and the mrtg shows a traffic spike.

    How can I check at the server level to find who might be doing this. I have run chkrootkit and the server seems clean. I suspect it is a user script.
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Any one ??
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sounds typical of the type of script that retrieves information from another website and posts it to their own (e.g. news).

    One way to track it down would be to block outgoing port 80 and see who screams ;) A better idea might be to check user crontabs to see if they're running such a script regularly.
     
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider

    /usr/sbin/lsof -n

    might help
     
Loading...

Share This Page