The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking down outgoing packets

Discussion in 'General Discussion' started by leighj, Aug 9, 2005.

  1. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    I recently had my server compromized. So I secured it by reading a few of the threads
    I have APF running and I'm getting outgoing traffic that's being dropped. HOWEVER I'm not sure how to find out what is doing this.

    I have my logs and all and I can see the traffic (Ip address and all) but I'm not sure which process it's coming from.

    Is there a way to find this out?
     
    #1 leighj, Aug 9, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Well, if the port is bound you can see what has it open with:

    netstat -lpn

    You can also use lsof to see what processes might have a port open. Ultimately, you can use tcpdump and monitor all traffic on a particular port, IP address, etc.
     
    #2 chirpy, Aug 10, 2005
  3. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    Thanks I've looked at both of those options but... the program opening the port seems to only open the port intermittantly and from random IP addresses and to random IP addresses... I was hoping there was a tcpdump option that could track the source app of the packets but I know I was dreaming or drunk at the time...
     
    #3 leighj, Aug 10, 2005
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    There is a tool called ngrep which is pretty good at helping track down packets on certain IPs also.
     
    #4 kris1351, Aug 10, 2005
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    I had a search for something that would easily allow you to monitor a port and track back to the app but didn't find anything (I didn't try that hard).

    Something you could do, if you really wanted, is to look at some kind of daemon on the server that listens on that port and once a connection to it is made, it keeps it open and then runs lsof or the like to track back what has that connection open. Just an idea, something like that may already be out there.
     
    #5 chirpy, Aug 10, 2005
  6. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    The thing is that it's kinda triggered by something (not by crond i THINK) and then tries to send out traffic on a weird port.

    The only thing I could find out about the port was
    Port number: 50858 (also 50700)
    Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3
    Common service(s): client
    Service description(s): Outgoing client connections from systems.
    Common server(s): RPC based services, Windows Messaging Service.
    Common client(s): All client software (SSH, Web clients, etc.)
    Common problem(s): Insecure client software
    Encrypted options: Not applicable
    Secure options: Not applicable
    Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)
     
    #6 leighj, Aug 10, 2005
  7. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I think I found something you can use.

    Portwatch counts the number of connections from a single ip to a specific port. This script is useful to see how many request are comming into somthing like apache/ftp/smtp/pop/imap/etc at that point in time from a single ip. Shows both UDP/TCP

    You can download it from :

    http://www.cplicensing.net/files/scripts/portwatch

    Enjoy :)
     
    #7 shashank, Aug 10, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - Tracking down outgoing
  1. Rajesh Chauhan

    Tracking down user hitting another hosting company IP

    Rajesh Chauhan, Mar 13, 2016, in forum: Security
    Replies:
    3
    Views:
    348
    storminternet
    Mar 15, 2016
  2. DWT

    Google analytics tracking ID in cPanel

    DWT, Jun 1, 2016, in forum: General Discussion
    Replies:
    1
    Views:
    768
    Infopro
    Jun 2, 2016
  3. keat63

    Named Tracking hit

    keat63, Mar 9, 2016, in forum: Security
    Replies:
    7
    Views:
    525
    keat63
    Mar 11, 2016
  4. Israel_Paya

    Process Tracking Emails

    Israel_Paya, Sep 22, 2015, in forum: Security
    Replies:
    2
    Views:
    504
    Israel_Paya
    Sep 22, 2015
  5. postcd

    How would you move/sync cpanel server to other machine with min. downtime?

    postcd, Jul 19, 2017 at 4:50 PM, in forum: Data Protection
    Replies:
    1
    Views:
    50
    cPanelMichael
    Jul 20, 2017 at 8:36 AM

Share This Page