finding outbound connections?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
dev_null
Forum Newbie
Posts: 1
Joined: Fri Nov 12, 2010 10:56 am

finding outbound connections?

Post by dev_null »

I'm inheriting a rather large php project. It's suspected that it has some "spy" code in it that connects to external sites and/or sends email to an outside source. All of the code is in "raw" php, nothing like ioncube was used to lock it up.

We're wanting to find if any such code exists.

Obviously we can grep for 'email' throughout the entire code base (and have) to find any spots that would be sending email (none were found).

We'd like to do the same for terms like file_get_contents and curl* functions, etc, but we want to make sure we have a definitive list of all the functions we should be searching for.

OR - is there a better way? Is there a php ini setting we can set that would explicitly tell php to not allow outbound connections?

Thanks in advance for any thoughts and feedback!
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: finding outbound connections?

Post by VladSun »

You can try to monitor it first. if it's Linux:

Code: Select all

iptables -I OUTPUT -p tcp -m state --state NEW -m owner --uid-owner apache_user_id_here -j LOG --log-prefix "MONITOR"
and grep /var/log/messages for MONITOR string

This will log all outgoing (i.e. initializing, not responding) connection made by the Apache. Take a look at the destionation IPs and decide whether they are legitimate ones or not.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply