How to discover listening connections?

ZweiTiger

Hey,

I got an abuse report for one of my server, but i cannot figure out how to check this deeply. I use config firewall, and i block every port only 80 and service ports are enabled.

Usually how do you solve this kind of problems? For now i tried apache status page, and so so on, but i cannot figure it out.

Thanks

Here is the screen about the abuse report:
http://www.kepfeltoltes.eu/images/hdd1/2018/06/09/8932018_06_09_16_00_45.png

47479 port is closed. So.. hm Any suggestion?

mksh

netstat -antpu

iftop

tcpdump -ni [external-interface]

But if it's any kind of serious rootkit you are not going to find much.

Edit: Just saw the port is listed as source. It's not like you are going to find that open. The report basically says your server is talking to a known C&C address read as is part of a botnet (or at least was and is likely still vulnerable as the domain seems to have been taken over by abuse.ch which also likely sent you the report).

drserver

netstat -ntplu

Neoon

netstat -tulpen

hardgamers

Some process in your server make a connection to that IP. That IP and domain is a sinkhole.

Check this thread :

https://talk.plesk.com/threads/server-blacklisted-cause-connecting-to-botnet-controller.347755/

jetchirag

You wouldn't be able to detect these by checking listening ports usually. These are sinkholes who happen to have recorded this coming from your server. Setup shtracer.pl and it'll display full information if it catches any connection as such.

Also, you can check messages log for some information.

seanho

Snapshot or backup your server for forensics, then blow it away and reinstall from template/ISO. You probably won't find anything in logs. Check everything in your stack for updates and known vulnerabilities, even themes, WordPress plugins, etc.

mksh

@seanho said:
Snapshot or backup your server for forensics, then blow it away and reinstall from template/ISO. You probably won't find anything in logs. Check everything in your stack for updates and known vulnerabilities, even themes, WordPress plugins, etc.

Agreed. This is the only way to handle this.

pike

@Neoon said:
netstat -tulpen

mksh

@pike said:

@Neoon said:
netstat -tulpen

Flowers are overrated. Ant poo is where it's at.

pike

@mksh said:
Flowers are overrated. Ant poo is where it's at.

You give your mother ant poo as present? Weirdo.

mksh

@pike said:

@mksh said:
Flowers are overrated. Ant poo is where it's at.

You give your mother ant poo as present? Weirdo.

Well, neither actually. I'd rather bring some cake and a beer.

Shot2

@mksh said:
netstat -antpu

netstat -puant

(stinky netstat, in french)

mksh

@Shot2 said:

@mksh said:
netstat -antpu

netstat -puant

(stinky netstat, in french)

Wow, all those possibilities! I am entirely certain that will come handy some day.

chihcherng

@ZweiTiger said:
47479 port is closed. So.. hm Any suggestion?

Your server shouldn't connect to TCP port 80 of any hosts, right?

netstat -antpu | awk '$5 ~ /:80$/'

the command above will show you the PIDs of suspicious processes.

jetchirag

@chihcherng said:

@ZweiTiger said:
47479 port is closed. So.. hm Any suggestion?

Your server shouldn't connect to TCP port 80 of any hosts, right?

netstat -antpu | awk '$5 ~ /:80$/'

the command above will show you the PIDs of suspicious processes.

A watch would be better because per my knowledge, these programs don't keep connection open neither constantly keeps making them.

Also, shtracer is your best bet at this.

chihcherng

jetchirag said: A watch would be better because per my knowledge, these programs don't keep connection open neither constantly keeps making them.

If so, perhaps all connections not associated with known open ports should be checked? Just try to find some criteria to reduce the amount of data needing examination.

Neoon

netstat, endless possibilities, to reach the same result, its like porn, just less bare skin.

mksh

@chihcherng said:

jetchirag said: A watch would be better because per my knowledge, these programs don't keep connection open neither constantly keeps making them.

If so, perhaps all connections not associated with known open ports should be checked? Just try to find some criteria to reduce the amount of data needing examination.

In OPs case he already knows the C&C IP the server is connecting to so grepping on tcpdump would be easy. I am at loss what's archived by this though. OK, it could be used to try checking the validity of the report but then the server was compromised so all output isn't trustworthy anyways as if the report really came from abuse.ch i don't see a reason to doubt it.

OP should be more concerned with reinstalling the server asap while trying his best to avoid opening the same security hole again while investigating the compromise using an offline backup.

Falzo

ZweiTiger said: 47479 port is closed. So.. hm Any suggestion?

closed outgoing? I don't think so... also if this is/was the port your server was sending from, looking at the listening aka receiving ports won't help much I guess.

Janevski

# netstat -poontang

It works, it shows stuff, bwahahaaha...

seanho

The netstat options discussion reminds me of the old
ls -alligators and friends.

Malin

That's EITEST malware: https://www.proofpoint.com/us/threat-insight/post/eitest-sinkholing-oldest-infection-chain
You can probably find all infected files by running this grep:

-Rl "<?php.*=explode.*(chr.*-1; ?>" --include=.php /home//public_html/

If your path is different just replace it.

vimalware

lsof - i |grep LISTEN