- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Install tcpdump and WinDump
Tcpdump is often installed on Linux. If not, you can install it on Ubuntu with the following commands:
sudo apt update sudo apt install tcpdump
If you work with another Linux distro, you have to use the corresponding install commands.
On Windows, you can work with the free WinDump tool. Before you can use WinDump, you have to install WinPcap. You can download both programs here. Once WinPcap is installed, you can copy WinDump to the folder of your choice and execute the command from there. WinDump doesn't have to be installed.
Whenever you have reason to believe that hackers have installed malware on your servers, you should check whether your server establishes connections to its masters. We have to distinguish here between outgoing traffic in general and outbound traffic that is initiated on your host.
On Linux, you can use tcpdump to display all outgoing connections with this command:
tcpdump -i any src host 10.0.0.1
10.0.0.1 is here the IP address of your host. The -i parameter determines the network interface where tcpdump listens. If you don't want to listen on all network interfaces, you can find the installed interfaces in your server with the ifconfig command. This is the corresponding WinDump command:
windump src host 10.0.0.1
WinDump automatically listens on all interfaces, so we don't need the -i parameter here. If you only want to listen on a specific interface, you can use the windump -D command to list all installed network adapters.
Capturing only outgoing connections initiated by the host
Most of the outbound traffic is your server's response to requests from clients. If many clients connect to your server from external IP addresses, you will be overwhelmed by the number of connections displayed. If hackers install malicious software on your server, it is likely that the malware will try to connect to its master; that is, it will initiate a connection to an external IP address.
To capture outgoing TCP packets that are initiated on your server, you must understand the three-way handshake concept of the TCP protocol. Whenever a client tries to establish a TCP connection, it sets the SYN flag. The server then responds with a SYN/ACK packet and at the end of the three-way handshake, the client replies with an ACK packet.
Thus, to capture only TCP packets that are initiated on our machine, we have to tell tcpdump to display only packets where the SYN flag is set. We also have to exclude packets where the ACK flag is set because otherwise we also get the responses of the external host:
tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"
Note that the syntax of tcpdump does not allow something like "(tcp-syn) == 1." Also notice that you cannot replace "&" with "and" and vice versa. This is the corresponding WinDump command on Windows:
windump src host 192.168.178.29 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"
Identifying malware connections
Don't panic if connections are displayed to unknown hosts. In particular, on a Windows system, you will most likely see many outbound connections to Microsoft servers because Windows very much likes to "phone home." Microsoft calls this telemetry; others call it private data harvesting.
To verify that your system has been comprised, you have to use the whois service for each unknown IP address to determine its owner.
Finding the executable
If you want to know which program established the connection to a certain IP, you can use the netstat command with the -p parameter. Use the -n parameter to display only numeric values and -c to display connections every second continuously.
If you pipe the output to grep, you can restrict the output for your suspicious IP address. This is the command for Linux:
netstat -pnc | grep 22.214.171.124
On Windows, we have to use the -b parameter instead of -p. To display connections continuously, you have to specify the time interval that netstat uses to repeat the command. In the example below, the time interval is 1. Instead of grep we have to use findstr on Windows.
netstat -b 1 | findstr 126.96.36.199
Logging tcpdump and WinDump connections
Because the malware on your server might connect only at certain times to its master, you might want to log connections initiated by your server. To do this, we redirect the output with ">":
tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" &> outbound.log &
On a bash shell, the "&" at the end of the command ensures that tcpdump runs in the background and keeps on logging after you terminate your session. This is the corresponding command for Windows:
Subscribe to 4sysops newsletter!
start /B windump src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" > outbound.log