Spotting Infected Domains: Identifying Sites Sending Flood/DOS Requests
Posted: Fri Jul 14, 2023 4:07 pm
Investigating and identifying infected sites sending a high volume of requests to other IP addresses or servers:
In your SSH, as root, run:
Based on this output, you can trackdown the infected website:
Here we see that PHP running by the user "redcella" is making outgoing http/https connections to outside.
Now open Apache status, to find what site is under that account:
Click on "WEB"
Ctrl+F "redcella"
In your SSH, as root, run:
Code: Select all
lsof -i -n | grep php- 1111.jpeg (269.42 KiB)
Here we see that PHP running by the user "redcella" is making outgoing http/https connections to outside.
Now open Apache status, to find what site is under that account:
- open-status.png (71.13 KiB)
Click on "WEB"
Ctrl+F "redcella"
- apache-status.png (300.13 KiB)