Detect process that is doing an outbound DDoS attack [duplicate]
My web host has informed me that my Fedora server is the source of an outbound DDoS attack on somebody. The web host didn't give any other information. How can I find out what process is doing the attack so that I can stop it? I realize this is vague but I think if I can view outbound traffic in some way I might be able to find the process that is sending it.
I appreciate I will need to find the point of entry once I have stopped the attack, and likely will need to re-image the server with updates.
Thanks in advance.
You could use something like iptraf (available in a repo near you). This will tell you which ports are being used on your system and at what rate. Once you know which ports are being used you can then use netstat to find the process attached to each port. So if for example you identify that your port 6666 is active you can use
netstat -tunp | grep 6666
tcp 0 77352 192.168.254.188:56405 192.168.254.181:6666 ESTABLISHED 30072/nc
As you can see in this demo pid 30072 is using the port.