Spotting Infected Domains: Identifying Sites Sending Flood/DOS Requests

Post Reply
User avatar
isscbta
Team Member
Posts: 131
Joined: Mon Jul 19, 2021 1:41 am
Has thanked: 16 times
Been thanked: 3 times

Investigating and identifying infected sites sending a high volume of requests to other IP addresses or servers:

In your SSH, as root, run:

Code: Select all

lsof -i -n | grep php
Based on this output, you can trackdown the infected website:

1111.jpeg
1111.jpeg (269.42 KiB)

Here we see that PHP running by the user "redcella" is making outgoing http/https connections to outside.

Now open Apache status, to find what site is under that account:

open-status.png
open-status.png (71.13 KiB)

Click on "WEB"

Ctrl+F "redcella"

apache-status.png
apache-status.png (300.13 KiB)
Post Reply