One of the linux server was compromised and some of the connections are being originated from localhost to a remote location putting up the information residing on it. I'm trying to trace all outgoing connections from my server..
I have tried to
iptables -A OUTPUT -m tcp -p tcp --src 0/0 -j LOG --log-prefix "LOCALHOST SOURCED IT" --log-level 7
, this doesn't show any progress on top of already applied rules or anywhere... can someone please guide what is wrong here.
In case of a compromise, there are usually two ideas:
take the machine off the net NOW, as it may inflict more damage. Check how the bad guy did come in and rebuild the machine from scratch without that specific loophole. Only restore from backups what exactly has been verified as "okay", don't be tempted to restore "the latest backup" and "remove some suspicious scripts". You don't know when the intruder entered your box, and with some bad luck, your restore from backup otherwise may also re-install the intruder's rootkit or other malware.
create forensically useful information and take the machine offline afterwards.
Forensic information is more along this:
tcpdump -s 0 -w dumpfile.pcap to capture network traffic and later analyse this
on a different/dedicated host, e.g. using wireshark or similar software.Anyway: - Be aware that the attacker is not limited to tcp. they may also use udp or just any ip-based protocol. - If the intruder gained root access, they may have altered the logging mechanisms. You can't really trust the machine's logs anymore, the logs may have been filtered.
If you'd still like to perform some iptables logging:
iptables -I OUTPUT -p tcp -j LOG --log-prefix "LOCALHOST SOURCED IT" --log-level 7
should do the trick.
