2

Since a few days ago I've been observing some strange recurrent outgoing UDP traffic from my server on port 24441 but since it's not constant, I cannot seem to find what's causing it.

All I can see is the following in iptables logs:

Nov 15 00:46:33 server kernel: [17216276.676673] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=<SERVER_IP> DST=5.9.124.53 LEN=192 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60641 DPT=24441 LEN=172 UID=501 GID=513

I suspect it's some kind of malware running periodically from my server but want to find out what exactly. Can someone shed a light on how to catch this/log the source of this automatically when it happens? I'm running Centos 6.7. Thanks!

Ivan
  • 893
  • 2
  • 9
  • 23
  • Thank you. Found the answer in a related thread: http://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux – Ivan Nov 17 '15 at 09:25
  • In case anyone else runs into this, it seems the outgoing UDP connections were caused by Apache's SpamAssassin through "spamd child" process. I assume when it was actually catching some spam since the time intervals appeared as random. I've disabled SpamAssassin for now just to see if it happens again. – Ivan Nov 17 '15 at 09:33

1 Answers1

0

This should do it, run continuously, but I haven't tested it :) .

#!/bin/bash
tail -f iptables.log | grep "UDP_OUT Blocked" | sed 's/^.*SPT=//g
s/\s.*$//g' | ( while read portnum
do
    netstat --inet --program --udp --all -v -n | grep "$portnum"
done ) 2>&1 | tee suspicious.log

Tail, grep, sed extract a list of source port numbers that have been blocked, and netstat gets the program information.

cxw
  • 176
  • 1
  • 2
  • 9
  • Thanks, tried that but didn't get anything logged to 'suspicious.log' even though another even had occurred while the script was running. – Ivan Nov 15 '15 at 18:07
  • @Ivan sorry about that - fixed a bug in the script. Give it a try now. – cxw Nov 16 '15 at 13:16