Monitoring of network activity of processes

One of the servers, as the hosting provider says, is hacked. The server sends 2-4 GB of data to port 80 UDP, Chinese ip. This is our zabbix server and it is open from the outside and can sometimes send some data to the external IP of other servers, although we mostly work through a VPN. HOWEVER, not to China, where we do not have a single server.

How to track which of the processes is showing network activity, it is desirable to organize the data by traffic volume and that the log is written around the clock, with the ability to then read it. Maybe netstat has this capability? Thank you in advance!

Author: pleyades, 2016-09-25
Source

2 answers

For network monitoring, I personally prefer to use:

  • iftop for the real-time monitor. Easy and informative.
  • atop for logging and analysis, when using the netatop module, you can keep track of the network in the context of processes.
  • sysdig falco is a very useful thing for monitoring the system in terms of security. But if the system is compromised, then you should not necessarily trust the system utilities running on it: a rootkit can try to hide network activity, and the utilities themselves may be patched. In this case, it is better to monitor and analyze the traffic on the gateway or firewall through which it passes.
 2
Author: Andrew Hobbit, 2016-09-25 16:26:55

Thanks for the answer!

As it turned out, malware did not replace the main system utilities, due to which it was able to detect it. Suspicious connection to 198.55.114.237:12345 The process that initiated it -- /tmp/hh, in the same folder /tmp/gates.lod with the PID of the process. Then a little googling found article describing the types of such a virus. How it works, how to delete it.

 0
Author: pleyades, 2016-09-26 14:58:23