Knowledgebase

Portal Home > Knowledgebase > Articles Database > Weird Outgoing Connection


Weird Outgoing Connection




Posted by Think Tank Networks, 05-16-2014, 02:56 AM
I'm in the process of configuring a new Ubuntu 14.04 server and every minute or so the server tries to make a connection to an IP of my datacenter that isn't being used for anything (i confirmed with them). How can i track what is trying to make the connection? Here's what the syslog shows:
Posted by manhalab, 05-16-2014, 05:55 AM
you can use netstat command to see live connections and track based on src and dest ip address
Posted by Think Tank Networks, 05-16-2014, 10:53 AM
Which netstat command would show that? Netstat -c Shows socket connections too, so i need something that just shows outgoing.
Posted by vanmorrison, 05-16-2014, 11:29 AM
netstat -tupan | grep 192.99.45.251
Posted by Floxxx, 05-16-2014, 11:31 AM
Considering those connections are made to varying ports on an IP that (according to your provider) is not being used, i suggest running at least a rootkit-scanner (such as rkhunter), check auth-logs for possible break ins and changing your password (a strong password, just to be on the safe side). It might be nothing, but you cannot be too careful when it comes to server-security.
Posted by Think Tank Networks, 05-16-2014, 02:43 PM
Rkhunter hasn't detected anything and ssh is not running on port 22. There also haven't been any logins to ssh aside from me (i get email alerts everytime someone logs in).
Posted by khunj, 05-17-2014, 03:46 AM
You can get the UID/GID of the application sending those packets using iptables: Then look in your syslog. Netstat won't help you, those packets are UDP. Instead, you can use tcpdump if you want to know the content of those packets.
Posted by Think Tank Networks, 05-17-2014, 04:10 AM
Looks like its root that's executing the connection, i dont know which binary is doing it though. Is there any way to display the binary?
Posted by CentaurusHost, 05-17-2014, 04:14 AM
UID 0 is used by the root user. If you think these connections are not supposed to be initiated then perhaps your system can infected. You can use the top or ps command to see the list of running processes, that might help you to investigate it further.
Posted by Think Tank Networks, 05-17-2014, 04:27 AM
tcpdump doesnt show that IP either (probably cause the port is being blocked by csf). An even odder thing is how the system got infected in the first place. Only 3 ports are open (80, 443, and ssh) web service isint even started yet (haven't gotten around to configuring yet) and the only things ive installed are security tools and web server (php, mysql, etc.). I'll reinstall the system just to be safe though. Thanks for all the help.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Help with Virtual Hosting (Views: 495)
How to replace apache prefork to apache worker on Centos 5?? (Views: 1849)
EMAIL PROBLEM (Views: 488)
Disable FTP in cPanel/WHM ? (Views: 478)
jQuery Help (Views: 512)

Language: