Log outbound http requests in linux

Portal Home > Knowledgebase > Articles Database > Log outbound http requests in linux

Posted by linuxhostingguy, 11-27-2011, 03:51 PM
I have a cPanel server with a number of customers. I've noticed that a script on my server is making http requests to other sites looking for, presumably, wordpress vulnerabilities. I log http requests by using a transparent proxy (squid), so I can see what is going on. This, however, doesn't tell me WHO is making the request. I've searched for evil files on my customer's web sites and haven't been able to find one, but some script is still at it so I know its there somewhere, I just need to know where to look. Is there any way for me to get the unix userid of the process that is making the http request? Either in squid or via iptables (I run apf). If only I could get the unix username passed to squid as the proxy auth... but I haven't figured out if that is possible yet. Whatever solution needs to be transparent to my customers too, so sending out proxy usernames/passwords to everyone would be impossible. This has to be a common problem. Any suggestions would be greatly appreciated.
Posted by fshagan, 11-27-2011, 07:50 PM
You might check to see if something like LMD (Linux Malware Detector) can find it; it can do an on-demand scan looking for exploited file fingerprints. I use cxs from configserver.com for this (it's $50), but I would check the forums there first to see if they think this is something that would be picked up.