Howto? Established connections [SRC - DST]

jmginer

Hello, I want detect what is the VPS that is receiving all of this connections.

With:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I see the source IPs, but also I want see the destination.

Can I show 2 colums? source - destination

Or some other thing to detect what is the afected VPS?

Thanks.

Nyr

Yeah. Use awk '{print $4 $5}' to read both columns and then you can sort them in groups if you want (so you count same source+destination).

If you want to count them separately and then show the tops, read two variables using a separator. A space would do for what you want, I suppose.
IFS='separator' read destination source < <(echo "$extractedcolumns")

Then you can use $destinationand $source as you wish.

The upstream can get you a nice log of flows for sure, too.

Sorry for the fast explanation, but I really need to catch some sleep now :P

black

Try

netstat -ntu | tr -s " " | cut -d " " -f4,5 | sed "s/\:.* / /; s/\:.*$//" | grep -E "^[0-9]" 

then do all your sort uniq stuff.

BluBoy

How specific to do you need the output?

netstat -ntu | awk '{print $4" -> "$5}'

jmginer

Thanks all, with netstat the problem is not found

netstat -ntu | tr -s " " | cut -d " " -f4,5 | sed "s/\:.* / /; s/\:.*$//" | grep -E "^[0-9]" | sort | uniq -c | sort -n

I found with the conntrack-tools and found the hacker. Very interesting this tool

You can download here or directly running this:

cd ~; yum install unzip -y; wget https://ginernet.com/downloads/conntrack-tools.zip; unzip conntrack-tools.zip; cd conntrack-tools; rpm -Uhv *;

Then run "conntrack -L" to found the hacker...

and solve running:

conntrack -D -p tcp --dst "hacked-IP"