Tracing out going attacks

Tiffany Walker asked:

I have noticed ALOT of the following:

Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=ME DST=OUT LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44395 DF PROTO=TCP SPT=55901 DPT=10080 WINDOW=14600 RES=0x00 SYN URGP=0

How can I figure out which website is sending such an attack?

PHP is running as fast_cgid with CloudLinux.

My answer:

If, as your log seems to indicate, the packet originated with your system, then you need to figure out not “which website is sending such an attack” but what (or who) on your system is generating the traffic.

Now with that out of the way, TCP port 10080 is most often used by the Amanda backup system. If you have set up Amanda to back up your server to a remote host, then this may be what is causing the traffic (and if it’s blocked, then your backups aren’t working!).

(Some PC games also use TCP port 10080, but I presume you aren’t playing PC games on this Linux box…)

To find out who initiated the connection, modify each of the firewall logging rules to add --log-uid. The user ID which initiated the connection will then be logged as UID=###. An example:

iptables ..... -j LOG --log-uid ...

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.