Jun 11, 2013
Chase Ewing
flashlight

In my previous article, I outlined what to do in case you have an abuse complaint lodged against you. A major issue in dealing with complaints is actually locating the source of the abusive activity on your server. If you have subscribed to our Managed General Services package for your server or device, you are more than welcome to open a support ticket requesting assistance. This article will provide a few pointers and tips so you can have the ability to handle abuse complaints on your own, if necessary.

Typically, when a server is attacking a remote host, it does this through a network connection established to the remote host. You can use this to your advantage by checking the network connections on your host to determine if there is any malicious activity currently being sent. To do this, you can use a utility called netstat in both Linux and Windows, although the arguments/flags passed to it differ a bit, as seen below.

Linux:
netstat -nutp (for outbound connections)
netstat -lnutp (for inbound connections)

Windows:
netstat -anb | more

The output of these commands will show you:

  • The protocol of the connection
  • Any data being transmitted
  • The Local and remote address and port
  • The connection state (typically, LISTEN or LISTENING denotes an inbound connection)
  • The Process ID tied to the network connection, if any

If you need to check the actual network traffic being transmitted over the wire in realtime, you can use tcpdump in Linux environments, and its GUI-related brother, Wireshark, in Windows. These programs will allow you to see exactly what information is being transmitted or received on the server at the network level. Generally, I recommend that you filter out any traffic that involves your administrative session (SSH or Remote Desktop) and any communication to the DNS resolvers. So, the arguments used in tcpdump/wireshark would be “not port ssh and not host 216.104.43.102 and not host 216.104.43.86” on Linux and “not port 3389 and not host 216.104.43.102 and not host 216.104.43.86” on Windows. You can use this to determine any strange activity, and cross reference it against any running processes. You can find more information under the tcpdump manpage, or under the documentation for WireShark:

http://www.tcpdump.org/tcpdump_man.html
http://www.wireshark.org/docs/

By now, you are probably wondering how you can see the running process on your system that are tied to the network connections we inspected earlier. To do this in Linux, you can use the process list command with the appropriate options (ps auxf), or by using the Task Manager in Windows by hitting Ctrl+Shift+Esc in your Remote Desktop session. In Task Manager, you can select what information is shown in the Processes tab by going to View > Columns. I would highly recommend that you check the PID (Process Identifier) box.

You can get a increased clarity into what your server processes are doing in both OS types as well.  In Linux, you can install lsof (stands for ‘List Open Files’) and use it to get extended information on any process ID using the -p flag. Additionally, Microsoft has a plethora of utilities available from SysInternals, the most important of which are ProcMon and NetMon (stands for Process Monitor and Network Monitor), which you can find here:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=4865

With these tools, you should be able to get a good grasp on what is going on within your system, which is incredibly useful the next time you get an email stating that malicious activity is present on your system. Again, if you have any problems or issues tracking this down, you are more than welcome to submit a support ticket. Happy Hunting!

Read the rest of the Mastering the Abuse Process Series
Comments
    Dan

    Great post, Chase!

    Posted by Dan on June 12, 2013 Reply

Leave a Comment