Tracking down outgoing packets

leighj

Well-Known Member
Feb 21, 2003
51
0
156
I recently had my server compromized. So I secured it by reading a few of the threads
I have APF running and I'm getting outgoing traffic that's being dropped. HOWEVER I'm not sure how to find out what is doing this.

I have my logs and all and I can see the traffic (Ip address and all) but I'm not sure which process it's coming from.

Is there a way to find this out?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Well, if the port is bound you can see what has it open with:

netstat -lpn

You can also use lsof to see what processes might have a port open. Ultimately, you can use tcpdump and monitor all traffic on a particular port, IP address, etc.
 

leighj

Well-Known Member
Feb 21, 2003
51
0
156
Thanks I've looked at both of those options but... the program opening the port seems to only open the port intermittantly and from random IP addresses and to random IP addresses... I was hoping there was a tcpdump option that could track the source app of the packets but I know I was dreaming or drunk at the time...
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
I had a search for something that would easily allow you to monitor a port and track back to the app but didn't find anything (I didn't try that hard).

Something you could do, if you really wanted, is to look at some kind of daemon on the server that listens on that port and once a connection to it is made, it keeps it open and then runs lsof or the like to track back what has that connection open. Just an idea, something like that may already be out there.
 

leighj

Well-Known Member
Feb 21, 2003
51
0
156
The thing is that it's kinda triggered by something (not by crond i THINK) and then tries to send out traffic on a weird port.

The only thing I could find out about the port was
Port number: 50858 (also 50700)
Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3
Common service(s): client
Service description(s): Outgoing client connections from systems.
Common server(s): RPC based services, Windows Messaging Service.
Common client(s): All client software (SSH, Web clients, etc.)
Common problem(s): Insecure client software
Encrypted options: Not applicable
Secure options: Not applicable
Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)
 

shashank

Well-Known Member
PartnerNOC
Apr 12, 2003
159
1
168
cPanel Access Level
Root Administrator
I think I found something you can use.

Portwatch counts the number of connections from a single ip to a specific port. This script is useful to see how many request are comming into somthing like apache/ftp/smtp/pop/imap/etc at that point in time from a single ip. Shows both UDP/TCP

You can download it from :

http://www.cplicensing.net/files/scripts/portwatch

Enjoy :)