CentOS 7: how to log all network connections and traffic to identify a hole?

I

ILaeeeee2021-01-08 10:35:06

Information Security

ILaeeeee, 2021-01-08 10:35:06

Hao!

Bottom line: a malicious php script periodically appears on a web server (VPS) on different sites. Required: identify a hole.

At first I thought that the hole in the php application. Installed mod_security for apache. Monitored all HTTP requests via log. I did not find any holes (neither through get, nor through post, etc.). The script appears magically.

Vulnerability scanners did not give me anything either (which ones I used).

I looked at the messages and secure logs in CentOS. I didn't see anything suspicious either.

I thought that if there was something that would add all network connections with incoming data to the log, this would help me.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

I

ILaeeeee, 2021-01-11
@ILaeeeee

Tcpdump, Wireshark

D

Dmitry, 2021-01-08
@q2digger

if there is a decent modern rootkit, figs you will find it like that.
A compromised server must be decommissioned, disconnected from the network and sorted out in its guts. And a new one unfolds in its place. the code of the sites is uploaded again, from a verified clean backup or where it is stored there, from the version control system.

V

Valentin, 2021-01-08
@vvpoloskin

It is unlikely that you were hacked by some top rootkit, most likely a common script virus. Forbid all outgoing requests of the new type, use a proxy with logging for the necessary http traffic (you can even make it seamless so that you do not configure anything in client applications).

M

Maxim Korneev, 2021-01-12
@MaxLK

look here https://www.snort.org/ or https://www.ossec.net/ or equivalents