[SOLVED] Determining the file/application used by a network connection.
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Determining the file/application used by a network connection.
I am not a Linux expert, but not a newbie either. I am recently experiencing an interesting problem that I just wanted to share and get your opinions.
A few days ago one of my server's IP, which I use as a shared web server for a bunch of websites, got blacklisted. The server is a Linux server running CentOS with cPanel control panel.
I have found the note below in the database which was blacklisted my IP.
This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft).
This was detected by observing this IP attempting to make contact to a Zeus Command and Control server, with contents unique to Zeus C&C command protocols.
Zbot is known by other names: Wsnpoem (Symantec) and most commonly as Zeus.
Zbot/Zeus is a banking trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of "formgrabs".
This was detected by a TCP/IP connection from X.X.X.X on port 58955 going to IP address 126.96.36.199 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "zxcqsd1rfasga.com".
This detection corresponds to a connection at 2013-01-10 15:20:20 (GMT - this timestamp is believed accurate to within one second).
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.
We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.
If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working.
The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP.
Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total.
Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected.
While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources.
The interesting thing is, this Zeus thing seems to be working only Windows based machines. So it should not be possible for this to happen on a Linux server in my opinion. The only thing that I can think of is, a proxy script or something that an account might be using which might have been used by an infected Windows computer. However, this is the point where I am lost as I am not sure how I can detect this script on server, and I am even not sure if there is any.
When I check the active connections on the server during a day(via netstat), I can see multiple connections to remote servers over port 80 but I am not sure if I can say that all these connections are caused by the same thing? (I guess they might be Wordpress caching stuff etc., might they?)
I was wondering if this can be tracked through this way or another way? Is my assumption correct? I would really appreciate any comments/opinions on this whether be positive or negative.
That's an understatement: the report says it got listed nearly two weeks ago. Linux may be free to use but using it is not free of responsibilities.
Originally Posted by compix
a proxy script or something that an account might be using which might have been used by an infected Windows computer.
What I find interesting is the reason your web server is (perceived to be) (ab)used for proxying traffic. AFAIK Zeus (and I haven't read that much really) isn't that "intelligent" to modify a users proxy settings and while I should not speculate about these things there's two generic options: somebody deliberately configured their machine to use yours for proxying purposes or somebody "discovered" yours as an open proxy.
then add these logging and blocking rules at their appropriate position ('iptables -t filter --line-numbers -nvxL OUTPUT;' to review) in the filter table OUTPUT chain:
iptables -t filter -A OUTPUT -p ALL -m state --state NEW -m set --match-set BLOCK dst -j LOG --log-prefix "OUT_zeus "
iptables -t filter -A OUTPUT -p ALL -m state --state NEW -m set --match-set BLOCK dst -j DROP
*Note the list is refreshed about ever twenty four hours so you probably want to automate downloading the new list, cleaning stale addresses and loading new ones into list. And please don't mistake this set of blocking rules for a "solution".
Secondly out-of-the-box Apache installations still come with all LSO's enabled including proxying ('grep "^LoadModule.proxy" httpd.conf;') so it would be good to review your configuration for what you allow. That goes for the firewall and other services as well. We don't know the location of the web server (could you be willingly proxying for your own LAN?) or if you're running a proxy service too. And like you said an interpreter-based proxy script or other "fun" could be running. It can be grepped for or better: use RFx' Linux Malware Detect ClamAV rules (just load them on the clamscan command line) on your own and your customers homes and all docroots. While you're at it review the servers system and daemon logs for anomalies (or use Logwatch for generating leads), review your own and your customers homes for anything seemingly odd and while you inspect things don't leave your own local machine(s) out.
Third, yes, you can list (I prefer 'lsof -Pwln -a -i;') processes and network traffic but without ways to correlate it (remote domain names or IP addresses, Zeus agent signatures, process details that mark it suspicious or rogue) I wonder how efficient that will be. (I made a web log post about traffic correlation here but I hope you find the cause without having to resort to that kind of stuff.) Sure you should inspect processes but IMHO you shouldn't focus on remote ports. Besides there's no way telling if traffic will be constant or transient. If your investigation turns up nothing you could install Snort as Emerging Threats, zeustracker and SourceFire include Zeus signatures and sniff traffic but I'd go for quick wins first.
I noticed you marked this thread solved without posting how you solved the case. This does not leave any clues for others who might face the same problem in the future and it's a rather unsatisfactory ending for those who love to troubleshoot and diagnose things. So I would appreciate it if you would reciprocate and offer us a quick run-through of that measures you took and of your findings,
Hi unSpawn, you are right I should let everyone know with what I did. I was just way too hasty while working on this problem and completely forgot this thread. Sorry about that.
Here's what I did;
I have tried running LMD (Linux Malware Detect). It did found about 8-10 (some were same) and I have cleaned all of them.
I have created an egress filter as advised and monitored the logs for about 2-3 days and have not noticed any outgoing connection to Zeus trackers. (I also created an update script to update blocklist every 24 hours.) I have not been blacklisted by the database so far.
As for your Apache configuration suggestion, this server has a default(almost) cPanel/WHM Apache configuration and I confirmed that the proxy module was not enabled/loaded. I have also my firewall tightly configured, just allows regular incoming/outgoing HTTP, HTTPS, POP(S), IMAP(S), DNS and some cPanel/WHM specific port connections.
I'll keep monitoring this and will update this thread if I notice anything new.