Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tracking down outgoing packets

Discussion in 'General Discussion' started by leighj, Aug 9, 2005.

  1. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    I recently had my server compromized. So I secured it by reading a few of the threads
    I have APF running and I'm getting outgoing traffic that's being dropped. HOWEVER I'm not sure how to find out what is doing this.

    I have my logs and all and I can see the traffic (Ip address and all) but I'm not sure which process it's coming from.

    Is there a way to find this out?
     
    #1 leighj, Aug 9, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Well, if the port is bound you can see what has it open with:

    netstat -lpn

    You can also use lsof to see what processes might have a port open. Ultimately, you can use tcpdump and monitor all traffic on a particular port, IP address, etc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 chirpy, Aug 10, 2005
  3. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    Thanks I've looked at both of those options but... the program opening the port seems to only open the port intermittantly and from random IP addresses and to random IP addresses... I was hoping there was a tcpdump option that could track the source app of the packets but I know I was dreaming or drunk at the time...
     
    #3 leighj, Aug 10, 2005
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    There is a tool called ngrep which is pretty good at helping track down packets on certain IPs also.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 kris1351, Aug 10, 2005
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    I had a search for something that would easily allow you to monitor a port and track back to the app but didn't find anything (I didn't try that hard).

    Something you could do, if you really wanted, is to look at some kind of daemon on the server that listens on that port and once a connection to it is made, it keeps it open and then runs lsof or the like to track back what has that connection open. Just an idea, something like that may already be out there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 chirpy, Aug 10, 2005
  6. leighj

    leighj Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    The thing is that it's kinda triggered by something (not by crond i THINK) and then tries to send out traffic on a weird port.

    The only thing I could find out about the port was
    Port number: 50858 (also 50700)
    Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3
    Common service(s): client
    Service description(s): Outgoing client connections from systems.
    Common server(s): RPC based services, Windows Messaging Service.
    Common client(s): All client software (SSH, Web clients, etc.)
    Common problem(s): Insecure client software
    Encrypted options: Not applicable
    Secure options: Not applicable
    Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state)
     
    #6 leighj, Aug 10, 2005
  7. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I think I found something you can use.

    Portwatch counts the number of connections from a single ip to a specific port. This script is useful to see how many request are comming into somthing like apache/ftp/smtp/pop/imap/etc at that point in time from a single ip. Shows both UDP/TCP

    You can download it from :

    http://www.cplicensing.net/files/scripts/portwatch

    Enjoy :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 shashank, Aug 10, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - Tracking down outgoing
  1. jk_dc

    Email Tracking & Reporting

    jk_dc, Apr 20, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    133
    cPanelMichael
    Apr 20, 2018
  2. denverdataman

    Tracking Redirects

    denverdataman, Mar 27, 2018, in forum: Workarounds and Optimization
    Replies:
    4
    Views:
    165
    cPanelMichael
    Mar 28, 2018
  3. postcd

    How to manually downgrade from WHM v. 74?

    postcd, Aug 16, 2018 at 9:54 AM, in forum: General Discussion
    Replies:
    7
    Views:
    107
    Tarak Nath
    Aug 17, 2018 at 4:16 AM
  4. toplisek

    The system is going down for reboot NOW!

    toplisek, Aug 16, 2018 at 3:36 AM, in forum: Security
    Replies:
    1
    Views:
    39
    cPanelMichael
    Aug 16, 2018 at 11:47 AM
  5. jcwacky

    Should I "Convert All Accounts to PHP-FPM"? Downsides?

    jcwacky, Aug 11, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    82
    jcwacky
    Aug 15, 2018 at 5:38 AM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice