Every now and then at Rackspace, as with any hosting provider. We do occasionally have issues where customers have left themselves open to attack. In such cases sometimes customers find their server is sending spam email, and is prone to other malware occurring on the Rackspace Network.
Due to AUP and other obligations, it can become a critical issue for both the uptime, and reputation of your site. In many cases, customers do not necessarily have forensic experience, and will struggle very hard to remove the malware. In some cases, the malware keeps on coming back, or, like in my customers case, you could see lots of extra network traffic still using tcpdump locally on the box.
Enter, netfilter, part of the Linux Kernel, and it is able, if you ask it, to track down where packets are coming from, on a process level. This is really handy if you have an active malware or spam process on your system, since you can find out exactly where it is, before doing more investigation. Such a method, also allows you to trace down any potential false positives, since the packet address is always included, you get a really nice overview.
To give you an idea, I needed to install a kernel with debuginfo, just to do this troubleshooting, however this depends on your distribution.
Updating your Kernel may be necessary to use netfilter debug
$yum history info 18 Transaction performed with: Installed rpm-4.11.3-21.el7.x86_64 @base Installed yum-3.4.3-150.el7.centos.noarch @base Installed yum-plugin-auto-update-debug-info-1.1.31-40.el7.noarch @base Installed yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base Packages Altered: Updated kernel-debuginfo-4.4.40-202.el7.centos.x86_64 @base-debuginfo Update 4.4.42-202.el7.centos.x86_64 @base-debuginfo Updated kernel-debuginfo-common-x86_64-4.4.40-202.el7.centos.x86_64 @base-debuginfo Update 4.4.42-202.el7.centos.x86_64 @base-debuginfo
You could use a similar process using netfilter.ip.local_in, I suspect.
The Script
#! /usr/bin/env stap # Print a trace of threads sending IP packets (UDP or TCP) to a given # destination port and/or address. Default is unfiltered. global the_dport = 0 # override with -G the_dport=53 global the_daddr = "" # override with -G the_daddr=127.0.0.1 probe netfilter.ip.local_out { if ((the_dport == 0 || the_dport == dport) && (the_daddr == "" || the_daddr == daddr)) printf("%s[%d] sent packet to %s:%d\n", execname(), tid(), daddr, dport) }
Executing the Script
[root@pirax-test-new hacked]# chmod +x dns_probe.sh [root@pirax-test-new hacked]# ./dns_probe.sh Missing separate debuginfos, use: debuginfo-install kernel-3.10.0-514.2.2.el7.x86_64 swapper/3[0] sent packet to 78.136.44.6:0 sshd[25421] sent packet to 134.1.1.1:55336 sshd[25421] sent packet to 134.1.1.1:55336 swapper/3[0] sent packet to 78.136.44.6:0
I was a little bit concerned about the above output, it looks like swapper with pid 3, is doing something it wouldn’t normally do. Upon further inspection though, we find it is just the outgoing cloud monitoring call;
# nslookup 78.136.44.6 Server: 83.138.151.81 Address: 83.138.151.81#53 Non-authoritative answer: 6.44.136.78.in-addr.arpa name = collector-lon-78-136-44-6.monitoring.rackspacecloud.com. Authoritative answers can be found from: