New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to discover listening connections?
Hey,
I got an abuse report for one of my server, but i cannot figure out how to check this deeply. I use config firewall, and i block every port only 80 and service ports are enabled.
Usually how do you solve this kind of problems? For now i tried apache status page, and so so on, but i cannot figure it out.
Thanks
Here is the screen about the abuse report:
http://www.kepfeltoltes.eu/images/hdd1/2018/06/09/8932018_06_09_16_00_45.png
47479 port is closed. So.. hm Any suggestion?
Comments
netstat -antpu
iftop
tcpdump -ni [external-interface]
But if it's any kind of serious rootkit you are not going to find much.
Edit: Just saw the port is listed as source. It's not like you are going to find that open. The report basically says your server is talking to a known C&C address read as is part of a botnet (or at least was and is likely still vulnerable as the domain seems to have been taken over by abuse.ch which also likely sent you the report).
netstat -ntplu
netstat -tulpen
Some process in your server make a connection to that IP. That IP and domain is a sinkhole.
Check this thread :
https://talk.plesk.com/threads/server-blacklisted-cause-connecting-to-botnet-controller.347755/
You wouldn't be able to detect these by checking listening ports usually. These are sinkholes who happen to have recorded this coming from your server. Setup shtracer.pl and it'll display full information if it catches any connection as such.
Also, you can check messages log for some information.
Snapshot or backup your server for forensics, then blow it away and reinstall from template/ISO. You probably won't find anything in logs. Check everything in your stack for updates and known vulnerabilities, even themes, WordPress plugins, etc.
Agreed. This is the only way to handle this.
Flowers are overrated. Ant poo is where it's at.
You give your mother ant poo as present? Weirdo.
Well, neither actually. I'd rather bring some cake and a beer.
netstat -puant
(stinky netstat, in french)
Wow, all those possibilities! I am entirely certain that will come handy some day.
Your server shouldn't connect to TCP port 80 of any hosts, right?
netstat -antpu | awk '$5 ~ /:80$/'
the command above will show you the PIDs of suspicious processes.
A
watch
would be better because per my knowledge, these programs don't keep connection open neither constantly keeps making them.Also, shtracer is your best bet at this.
If so, perhaps all connections not associated with known open ports should be checked? Just try to find some criteria to reduce the amount of data needing examination.
netstat, endless possibilities, to reach the same result, its like porn, just less bare skin.
In OPs case he already knows the C&C IP the server is connecting to so grepping on tcpdump would be easy. I am at loss what's archived by this though. OK, it could be used to try checking the validity of the report but then the server was compromised so all output isn't trustworthy anyways as if the report really came from abuse.ch i don't see a reason to doubt it.
OP should be more concerned with reinstalling the server asap while trying his best to avoid opening the same security hole again while investigating the compromise using an offline backup.
closed outgoing? I don't think so... also if this is/was the port your server was sending from, looking at the listening aka receiving ports won't help much I guess.
It works, it shows stuff, bwahahaaha...
The netstat options discussion reminds me of the old
ls
-alligators
and friends.That's EITEST malware: https://www.proofpoint.com/us/threat-insight/post/eitest-sinkholing-oldest-infection-chain
You can probably find all infected files by running this grep:
-Rl "<?php.*=explode.*(chr.*-1; ?>" --include=.php /home//public_html/
If your path is different just replace it.
lsof - i |grep LISTEN