The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking down outgoing packets

Discussion in 'General Discussion' started by leighj, Aug 9, 2005.

  1. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    I recently had my server compromized. So I secured it by reading a few of the threads
    I have APF running and I'm getting outgoing traffic that's being dropped. HOWEVER I'm not sure how to find out what is doing this.

    I have my logs and all and I can see the traffic (Ip address and all) but I'm not sure which process it's coming from.

    Is there a way to find this out?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, if the port is bound you can see what has it open with:

    netstat -lpn

    You can also use lsof to see what processes might have a port open. Ultimately, you can use tcpdump and monitor all traffic on a particular port, IP address, etc.
     
  3. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Thanks I've looked at both of those options but... the program opening the port seems to only open the port intermittantly and from random IP addresses and to random IP addresses... I was hoping there was a tcpdump option that could track the source app of the packets but I know I was dreaming or drunk at the time...
     
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    There is a tool called ngrep which is pretty good at helping track down packets on certain IPs also.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I had a search for something that would easily allow you to monitor a port and track back to the app but didn't find anything (I didn't try that hard).

    Something you could do, if you really wanted, is to look at some kind of daemon on the server that listens on that port and once a connection to it is made, it keeps it open and then runs lsof or the like to track back what has that connection open. Just an idea, something like that may already be out there.
     
  6. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    The thing is that it's kinda triggered by something (not by crond i THINK) and then tries to send out traffic on a weird port.

    The only thing I could find out about the port was
    Port number: 50858 (also 50700)
    Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3
    Common service(s): client
    Service description(s): Outgoing client connections from systems.
    Common server(s): RPC based services, Windows Messaging Service.
    Common client(s): All client software (SSH, Web clients, etc.)
    Common problem(s): Insecure client software
    Encrypted options: Not applicable
    Secure options: Not applicable
    Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)
     
  7. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I think I found something you can use.

    Portwatch counts the number of connections from a single ip to a specific port. This script is useful to see how many request are comming into somthing like apache/ftp/smtp/pop/imap/etc at that point in time from a single ip. Shows both UDP/TCP

    You can download it from :

    http://www.cplicensing.net/files/scripts/portwatch

    Enjoy :)
     
Loading...

Share This Page