One of the servers, as the hosting provider says, is hacked. The server sends 2-4 GB of data to 80 port UDP, Chinese ip. This is our zabbiks server and it is open outside and can sometimes send some data to external ips of other servers, although we mostly work through VPN. HOWEVER not to China, we don’t have a single server there.

How to track which of the processes shows network activity, it is desirable to streamline the data by the volume of traffic and that the log is written around the clock, with the ability to then read it. Can netstat have this feature? Thank you in advance!

    2 answers 2

    For network monitoring, I personally prefer to use:

    • iftop for real-time monitor. Easy and informative.
    • atop for logging and analysis, when using the netatop module, you can keep track of the network in terms of processes.
    • sysdig falco is a very useful security monitoring system. But if the system is compromised, then you should not trust the system utilities running on it unconditionally: the rootkit may try to hide network activity, and the utilities themselves may be patched. In this case, it is better to monitor and analyze traffic on the gateway or firewall through which it passes.

      Thanks for the answer!

      As it turned out, malware did not replace the main system utilities due to which it was able to detect it. Suspicious connection to 198.55.114.237:12345 The process that initiated it is / tmp / hh, in the same folder / tmp/gates.lod with the PID process. Then a little googling found an article describing the types of such a virus. How it works, how to remove it.