Outgoing attack from your Server IP on CentOS 7.

[bhawanisingh]

Brute force attack from your server IP is the real pain for all server admins. Today we will learn hot to trace the user account from which attack is going on.
First of all you should be aware that outgoing logs are not present in "domlogs, access_log or cPanel logs" neither you will find ant trace for it in "var/log/messages".

Now, what we have to do, we will create a rule for that IP or domain on which attack is going on through IPTABLES.
The attack may be of bruteforce, wp-login, joomla-login, sinkhole, any kind.

You can create a rule like below given examples:
For Wp-login attack:

iptables -I OUTPUT 1 -p tcp -m tcp --dport 80 -m string --string "wp-login.php" --algo kmp --to 1024 -j LOG --log-prefix "Potential WP Attack detected" --log-level 1 --log-uid

For Joomla login attack:

iptables -I OUTPUT 1 -p tcp -m tcp --dport 80 -m string --string "administrator" --algo kmp --to 1024 -j LOG --log-prefix "Potential Joomla Attack detected" --log-level 1 --log-uid

For sinkhole attack on any XXXXXXXXXXXX.com domain or IP:

iptables -I OUTPUT 1 -p tcp -m tcp --dport 80 -m string --string "XXXXXXXXXXXX.com" --algo kmp --to 1024 -j LOG --log-prefix "Potential Attack detected on XXXXXXXXXXXX.com" --log-level 1 --log-uid

After adding these rules logs will be shown in "/var/log/messages" for Outgoing request. You can check and identify the culprit with the help of UID and GID mentioned in the logs.