If your server initiates connections to an unknown host, it might be a sign that your server has been compromised. With the help of tcpdump and WinDump, you can easily capture outbound TCP packets on Linux and Windows.

Install tcpdump and WinDump ^

Tcpdump is often installed on Linux. If not, you can install it on Ubuntu with the following commands:

sudo apt update
sudo apt install tcpdump

If you work with another Linux distro, you have to use the corresponding install commands.

On Windows, you can work with the free WinDump tool. Before you can use WinDump, you have to install WinPcap. You can download both programs here. Once WinPcap is installed, you can copy WinDump to the folder of your choice and execute the command from there. WinDump doesn't have to be installed.

Outbound connections ^

Whenever you have reason to believe that hackers have installed malware on your servers, you should check whether your server establishes connections to its masters. We have to distinguish here between outgoing traffic in general and outbound traffic that is initiated on your host.

On Linux, you can use tcpdump to display all outgoing connections with this command:

tcpdump -i any src host 10.0.0.1

10.0.0.1 is here the IP address of your host. The -i parameter determines the network interface where tcpdump listens. If you don't want to listen on all network interfaces, you can find the installed interfaces in your server with the ifconfig command. This is the corresponding WinDump command:

windump src host 10.0.0.1

WinDump automatically listens on all interfaces, so we don't need the -i parameter here. If you only want to listen on a specific interface, you can use the windump -D command to list all installed network adapters.

Listening on a specific network adapter with WinDump

Listening on a specific network adapter with WinDump

Capturing only outgoing connections initiated by the host ^

Most of the outbound traffic is your server's response to requests from clients. If many clients connect to your server from external IP addresses, you will be overwhelmed by the number of connections displayed. If hackers install malicious software on your server, it is likely that the malware will try to connect to its master; that is, it will initiate a connection to an external IP address.

To capture outgoing TCP packets that are initiated on your server, you must understand the three-way handshake concept of the TCP protocol. Whenever a client tries to establish a TCP connection, it sets the SYN flag. The server then responds with a SYN/ACK packet and at the end of the three-way handshake, the client replies with an ACK packet.

Three way TCP handshake

Three way TCP handshake

Thus, to capture only TCP packets that are initiated on our machine, we have to tell tcpdump to display only packets where the SYN flag is set. We also have to exclude packets where the ACK flag is set because otherwise we also get the responses of the external host:

tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"
Displaying outbound connection initated by the host

Displaying outbound connection initated by the host

Note that the syntax of tcpdump does not allow something like "(tcp-syn) == 1." Also notice that you cannot replace "&" with "and" and vice versa. This is the corresponding WinDump command on Windows:

windump src host 192.168.178.29 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"
Displaying outbound connections initiated by the host on Windows

Displaying outgoing connections initiated by the host on Windows

Identifying malware connections ^

Don't panic if connections are displayed to unknown hosts. In particular, on a Windows system, you will most likely see many outbound connections to Microsoft servers because Windows very much likes to "phone home." Microsoft calls this telemetry; others call it private data harvesting.

To verify that your system has been comprised, you have to use the whois service for each unknown IP address to determine its owner.

Finding the executable ^

If you want to know which program established the connection to a certain IP, you can use the netstat command with the -p parameter. Use the -n parameter to display only numeric values and -c to display connections every second continuously.

netstat -pnc
Displaying the program that establishes a network connection on Linux

Displaying the program that establishes a network connection on Linux

If you pipe the output to grep, you can restrict the output for your suspicious IP address. This is the command for Linux:

netstat -pnc | grep 8.8.8.8

On Windows, we have to use the -b parameter instead of -p. To display connections continuously, you have to specify the time interval that netstat uses to repeat the command. In the example below, the time interval is 1. Instead of grep we have to use findstr on Windows.

Displaying the program that establishes a network connection on Windows

Displaying the program that establishes a network connection on Windows

netstat -b 1 | findstr 8.8.8.8

Logging tcpdump and WinDump connections ^

Because the malware on your server might connect only at certain times to its master, you might want to log connections initiated by your server. To do this, we redirect the output with ">":

tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" &> outbound.log &

On a bash shell, the "&" at the end of the command ensures that tcpdump runs in the background and keeps on logging after you terminate your session. This is the corresponding command for Windows:

Subscribe to 4sysops newsletter!

start /B windump src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" > outbound.log
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account