Tracing out going attacks

Posted on

Tracing out going attacks – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, web-server, firewall, web-hosting, .

I have noticed ALOT of the following:

Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=ME DST=OUT LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44395 DF PROTO=TCP SPT=55901 DPT=10080 WINDOW=14600 RES=0x00 SYN URGP=0

How can I figure out which website is sending such an attack?

PHP is running as fast_cgid with CloudLinux.

Solution :

If, as your log seems to indicate, the packet originated with your system, then you need to figure out not “which website is sending such an attack” but what (or who) on your system is generating the traffic.

Now with that out of the way, TCP port 10080 is most often used by the Amanda backup system. If you have set up Amanda to back up your server to a remote host, then this may be what is causing the traffic (and if it’s blocked, then your backups aren’t working!).

(Some PC games also use TCP port 10080, but I presume you aren’t playing PC games on this Linux box…)

To find out who initiated the connection, modify each of the firewall logging rules to add --log-uid. The user ID which initiated the connection will then be logged as UID=###. An example:

iptables ..... -j LOG --log-uid ...

Leave a Reply

Your email address will not be published. Required fields are marked *