Monitor outgoing specific traffic

I have kinda of an idea but I want to consult. I was following this guide for finding out which php processes spawn outgoing brute force attacks. I found the culprits everything is working fine.

Now, how could I make an automatic system for all of this? Some kind of script that inserts the cron job, creates the other script, sets-up everything, finds the IP addresses with grep in the files and then analyzes the other files to give me the specific php process + domain.

Or maybe it would be simplier to have a script to check outgoing traffic for lets say matches as POST /xmlrpc.php.

Or maybe this has been solved all together and I am wasting time.

The specific guide: https://www.nocser.net/clients/index.php/knowledgebase/484/How-to-Detect-Website-Used-for-Hacking-Others.html

Thanks for any input :)

I have kinda of an idea but I want to consult. I was following this guide for finding out which php processes spawn outgoing brute force attacks. I found the culprits everything is working fine.

The problem is that your approach is insane.

You have no idea if the attackers left other backdoors, and you have not patched the vulnerability. The normal response to such security issues is not to find the one script with a problem - but rather restore from backup or code repositories.

That said, there's plenty of Intrusion Detection Systems out there. But the marked is usually for finding compromised machine, not script level - for reasons I outlined above.