Track Outgoing Port 80 Connections - Compromised Scripts - Botnet Attacks - Etc

[Solokron]

In the case of a compromised script making connections on port 80 outgoing, what do you guys typically use to log or catch an offending script doing so? I have a server (running suPHP) which was reported to hit the abuseeat honeypot last night and configserver is not catching it. I've used netstat and several basic tools but what do you find to be the most effective?

Thanks!

 

[quizknows]

usually ps faux is pretty reliable- often the bad processes stick out like a sore thumb and have spoofed names like crond. If you see a fake crond, host, etc. proc running as a user instead of root, use lsof -p on it and see what's going on.

Otherwise check:

lsof -i :80

When you see the PID that is connecting to a remote port 80 rather than accepting a connection to local port 80, use lsof -p on that pid number to find the working directory of it.

You're lucky that SuPHP makes tracking this stuff a lot easier. DSO can be a nightmare.

Worst case if you come up totally blank, might be time to maldet scan or clamscan all your public_html dirs.

 

[Solokron]

I didn't think to use lsof -p. Good call. Thank you!

 

[cPanelMichael]

I didn't think to use lsof -p. Good call. Thank you!

I am happy to see you were provided with a useful solution. Let us know if it helps you find the source of the abusive script.

Thanks.