Join Log in
Score:1
SmootQ avatar Server

How to find the linux user that sent the packet

in flag
SmootQ

Our server is compromised and we would like to know which accounts sent the malicious queries from our server. I used tcpdump to get this :

 our.host.net.48194 > box5596.bluehost.com.http: Flags [P.], cksum 0x0bf8 (incorrect -> 0x5061), seq 0:741, ack 1, win 229, options [nop,nop,TS val 260555861 ecr 3817788688], length 741: HTTP, length: 741
    POST /xmlrpc.php HTTP/1.1
    Host: www.devynamaya.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    Content-Length: 484
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Connection: close
    
    <?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data><value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>admin</string></value><value><string>password123</string></value></data></array></value></data></array></value></member></struct></value></data></array></value></param></params></methodCall>[!http]

On the other hand I installed different other tools like clamav, chrootkit , rkhunter ...etc. And for the tcpdump packets, I use wireshark.

The problem is that I can't seem to find the user that sent that packet, so that I can suspend their cpanel account.

Are there any tools that help track the account that is compromised? we have hundereds of users on this server and it is like looking for a needle in a haystack.

Analysing packets would just be useless if I can't know which client has a compromised website.

Thanks !

70
1 + 4
in flag
NiKiZe
If you have a compromised system you should reinstall it. Maybe you can use `iptables` to do the logging https://serverfault.com/q/627824/187998
3
Reply
djdomi avatar
za flag
djdomi
Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server)
5
Reply
SmootQ avatar
in flag
SmootQ
@djdomi , I don't know if it answers my question or not, but I will check it out and see what is suggested in the answers. Thank you so much for the reference , Best !
0
Reply
SmootQ avatar
in flag
SmootQ
@NiKiZe we are already considering to migrate the accounts to another server, but we should try to solve the issue with this server first before doing that.. There is also another problem, even if we migrate accounts, some of them will still be infected, so we have to be careful.
0
Reply
Score:2
Alex avatar Server
in flag
Alex

Most compromised accounts/servers tend to have malware inside them, which sends our malicious queries, email spam thanks to infected files, etc. Analysing packets would be kind of hard and useless at this point.

What you can do is scan the users document root directories with Maldet

I've used maldet before, it's a great tool with it's own signature database, which is using clamav as an engine, when clamav is installed and available.

0 + 1
SmootQ avatar
in flag
SmootQ
Thank you so much for your great answer , I heard about maldet and did not try it yet. I will check it out for sure. Thanks !
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.