Hi all,

I found out that there was http traffic leaving my server to a domain I knew nothing about, so I ran

... for a couple of minutes before adding a iptables rule to block the IP.

Is there a way for me to see what was going through this by analysing the content of the dump.

I had a look through it but can't seem to find much info in there.

Any hack known that sends data through port 80 that I should be looking for on my box?

Any thoughts/advice are welcome!

I think we're going to need some more details about what is going on. By the way, in the case of suspected compromises, this forum tends to work rather differently than others you may have seen. Here we put a high emphasis on gathering facts about the machine in question rather than speculating about what might be going on. So, with that in mind, here are some things to think about.....

- What is this machine used for and why do you think this traffic was suspect?
- What distro is running on it, and how well patched/maintained is it?
- Are there any existing intrusion detection systems in place?
- Have you examined your log files for anything out of the ordinary?

Some potentially helpful information can be obtained from:

lsof -Pwn
ps -axfwwwe
netstat -pane

With these, you are looking for anythign suspicious, and feel free to post outputs.

In addition, if you feel the machine has been compromised, I'd strongly suggest pulling the network cable, but do NOT reboot/turn off the machine. If you don't have physical access, you might use iptables to cut off all access except SSH from a trusted IP

Also, have a look at the CERT Checklist for a good process to develop more facts about the machine.

2 members found this post helpful.

Hi Hangdog42,

Thanks for your reply and sorry for my late reply.

The box is a kvm server hosting a couple of running VMs. The server is also the firewall.

I suspected an intrusion when my very limited upload bandwidth started being saturated by an http(80) upload to a domain name I did not recognise.

I am running an up to date debian 5.x with the latest patches (up to a week)

None. I wanted to give snort a try but the learning curve seemed a tad high for the limited time I had. I guess I should regret not taking the time now.

My log files don't seem to show much but I was in a bit of a panic so I might go back to them now and have a closer look but nothing jumped out.

I suppose the three commands you mention are only any good during the attack. If it's a bot, I could reopen the port, run the commands, get the data and close it again. Although, the less gets out, the happier I am obviously.

Thank you for your link, I'll have a look at it over the weekend and run some tests. I took down all non critical VMs.

Is there a short learning curve intrusion detection software or am I going to have to accept snort is the one and get on with it?

Thanks for your help.

Can I ask what the purpose of the suspect VM is? A web server? Email server? General purpose? The reason I'm asking is that will be helpful to know the kinds of services that were exposed to the outside world.

I guess it depends on how you define "during the attack". Basically those three are for looking at what is currently running on the system in fair depth. Since you've seen unusual traffic on port 80, it is pretty safe to assume that if the machine was cracked, they left software running and hopefully these commands will show something. Of course if they really know what they are doing, they may have replaced some common commands with cracked ones designed to hide their activities.

I don't think you need to re-open port 80. Unless the rogue program is checking for connectivity to some external location and shutting down if it doesn't have any, it is likely blissfully unaware that it is sending information into the bit bucket rather than its intended destination.

It is going to depend on the software you choose, but and IDS like snort definitely is going to require some effort. A simpler approach is to use a HIDS like Aide or Samhain, but those by themselves are not likely to be sufficient since they detect cracks after the event. You probably should be thinking about an overall security plan that includes hardening, detection and recovery. There isn't a single magic bullet here.


Excellent! Far too many people don't bother with patches. It's nice to see someone getting that aspect right.

By the way, am I safe in assuming that the suspect machine is a VM? Also, if some of the logs/outputs/evidence is too large to post, let us know and we'll get a place where it can be stored and shared. There are several people in this forum who like doing this sort of investigation, so you will get help if you develop evidence.

2 members found this post helpful.