3

I have noticed ALOT of the following:

Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=ME DST=OUT LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44395 DF PROTO=TCP SPT=55901 DPT=10080 WINDOW=14600 RES=0x00 SYN URGP=0

How can I figure out which website is sending such an attack?

PHP is running as fast_cgid with CloudLinux.

Tiffany Walker
  • 6,681
  • 14
  • 56
  • 82

1 Answers1

2

If, as your log seems to indicate, the packet originated with your system, then you need to figure out not "which website is sending such an attack" but what (or who) on your system is generating the traffic.

Now with that out of the way, TCP port 10080 is most often used by the Amanda backup system. If you have set up Amanda to back up your server to a remote host, then this may be what is causing the traffic (and if it's blocked, then your backups aren't working!).

(Some PC games also use TCP port 10080, but I presume you aren't playing PC games on this Linux box...)

To find out who initiated the connection, modify each of the firewall logging rules to add --log-uid. The user ID which initiated the connection will then be logged as UID=###. An example:

iptables ..... -j LOG --log-uid ...
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Never setup Amanda backup system. Could someone on the shared host be using it? Is it a PHP App? – Tiffany Walker Oct 09 '12 at 01:54
  • Can you please clarify your question to describe what the machine is _supposed_ to be doing, in general? If this is something that has untrusted users on it, then the answer is going to be quite different than if it is an internal machine that users don't log in to. – Michael Hampton Oct 09 '12 at 01:56
  • Try a reverse lookup of the destination ip address and see if that gives you any clues. Also, run something like netstat that can give you process information for that particular TCP stream. – joeqwerty Oct 09 '12 at 01:56
  • @MichaelHampton yes it has untrusted users on it. Hosts websites. Main goal of the server. – Tiffany Walker Oct 09 '12 at 01:59
  • @TiffanyWalker I've updated the answer so that you can find out some information on who is initiating the connection. Then you know whose account to look at. – Michael Hampton Oct 09 '12 at 02:02
  • I wonder if there is a way to add that into CSF... (as that is what is running) – Tiffany Walker Oct 09 '12 at 02:47