Track Outgoing Port 80 Connections - Compromised Scripts - Botnet Attacks - Etc

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
In the case of a compromised script making connections on port 80 outgoing, what do you guys typically use to log or catch an offending script doing so? I have a server (running suPHP) which was reported to hit the abuseeat honeypot last night and configserver is not catching it. I've used netstat and several basic tools but what do you find to be the most effective?

Thanks!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
usually ps faux is pretty reliable- often the bad processes stick out like a sore thumb and have spoofed names like crond. If you see a fake crond, host, etc. proc running as a user instead of root, use lsof -p on it and see what's going on.

Otherwise check:

lsof -i :80

When you see the PID that is connecting to a remote port 80 rather than accepting a connection to local port 80, use lsof -p on that pid number to find the working directory of it.

You're lucky that SuPHP makes tracking this stuff a lot easier. DSO can be a nightmare.

Worst case if you come up totally blank, might be time to maldet scan or clamscan all your public_html dirs.
 

Solokron

Well-Known Member
Aug 8, 2003
850
1
168
Seattle
cPanel Access Level
DataCenter Provider
I didn't think to use lsof -p. Good call. Thank you!