Server generates outgoing requests to other sites. It is necessary to find the user on the server on whose name such requests are generated.
- Any OS
- Any control panel
The example below describes an attempt to log outgoing requests to port 80, containing "testtest047".
1. Create a custom rule for logging all outgoing requests to 80 port with the string "testtest047":
# iptables -I OUTPUT -p tcp -m tcp -m string --string "testtest047" --algo kmp --dport 80 -j LOG --log-prefix "Outgoing attack: " --log-level 4 --log-uid
2. Try to generate a request from any user (to test the rule):
$ wget --quiet http://google.com/?string=tko44047
3. Request will be logged in the system log:
# tail -n2 /var/log/messages
Feb 8 16:49:16 1354153 kernel: Outgoing attack: IN= OUT=eth0 SRC=10.51.48.14 DST=22.214.171.124 LEN=176 TOS=0x00 PREC=0x00 TTL=64 ID=56169 DF PROTO=TCP SPT=48296 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 UID=1288 GID=1288
Feb 8 16:49:16 1354153 kernel: Outgoing attack: IN= OUT=eth0 SRC=10.51.48.14 DST=126.96.36.199 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=14083 DF PROTO=TCP SPT=53282 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 UID=1288 GID=1288
In this example, requests were made from user with id 1288 on the server.
After that, files and databases on account with detected UID can be checked with Malware Scanner. It is also worth checking the processes running on behalf of this user and his cron tasks - it is possible that suspicious requests are generated by the cron scheduler or in-memory malware.
If nothing is detected, it is worth checking the site access.log, perhaps suspicious requests that are made to the scripts will be logged and thus understand through which script attack is generated.