The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Track Outgoing Port 80 Connections - Compromised Scripts - Botnet Attacks - Etc

Discussion in 'Security' started by Solokron, Jan 29, 2014.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    In the case of a compromised script making connections on port 80 outgoing, what do you guys typically use to log or catch an offending script doing so? I have a server (running suPHP) which was reported to hit the abuseeat honeypot last night and configserver is not catching it. I've used netstat and several basic tools but what do you find to be the most effective?

    Thanks!
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    usually ps faux is pretty reliable- often the bad processes stick out like a sore thumb and have spoofed names like crond. If you see a fake crond, host, etc. proc running as a user instead of root, use lsof -p on it and see what's going on.

    Otherwise check:

    lsof -i :80

    When you see the PID that is connecting to a remote port 80 rather than accepting a connection to local port 80, use lsof -p on that pid number to find the working directory of it.

    You're lucky that SuPHP makes tracking this stuff a lot easier. DSO can be a nightmare.

    Worst case if you come up totally blank, might be time to maldet scan or clamscan all your public_html dirs.
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I didn't think to use lsof -p. Good call. Thank you!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see you were provided with a useful solution. Let us know if it helps you find the source of the abusive script.

    Thanks.
     
Loading...

Share This Page