Sniff connections (call home) from server?

E

envision

New member
Jun 5, 2008
210
6
0
I have some software installed on my LAMP-based host that I'm worried about that it might "phone home". Is there a way to intercept connections my server initiates to the outside?

I'm not concerned about normal server traffic, where my server simply responds to incoming requests, only those connections my server initiates itself.

Particularly interested if there's anything you can do on a shared hosts, but also on VPS/dedicated.
 


if you're running your own machine, why not just block outbound connections, maybe with a whitelist for certain hosts?
 
envision said:
I have some software installed on my LAMP-based host that I'm worried about that it might "phone home". Is there a way to intercept connections my server initiates to the outside?

I'm not concerned about normal server traffic, where my server simply responds to incoming requests, only those connections my server initiates itself.

Particularly interested if there's anything you can do on a shared hosts, but also on VPS/dedicated.
Click to expand...

redirect connections to the said hosts/domains in your host file to the localhost
 
OK, so both of your ideas work on a private server only, correct? Any ideas for shared hosting (no access to host file)? Can something like this be done with .htaccess maybe?

Also both solutions help blocking, but e.g. if I want to change the hostfile, I first need to know what "said hosts/domains" are. What can you do to find out whether or not an app calls home and to what host?
 
if you don't know if it phones home, and are trying to find out, blocking hosts/domains will do you no good (e.g. if you're trying to stop ABC.com app from phoning home, and block ABC.com, that still won't stop them from using phonehome.ABC.com or ABCPhoneHome.com)

.htaccess has no effect on this, except maybe to set PHP INI options to disable file_get_contents, curl, etc, but by doing so you stand a good chance of breaking functionality of the program (depending on what the program is, what it does, etc)

your only real option here is to install it on it's own private server, setup wireshark to dump all incoming and outgoing connections (preferably to a sql database), use it normally for a few weeks (or longer) and manually crawl through your traffic logs by hand looking for suspicious activity. or read the source from cover to cover and pray they didn't obfuscate the nefarious bits.

in other words, it might be possible to do this, but unless you're willing to invest some serious time and effort into figuring out how, you won't ever know for sure.
 
  • Like
Reactions: envision
uplinked said:
if you don't know if it phones home, and are trying to find out, blocking hosts/domains will do you no good (e.g. if you're trying to stop ABC.com app from phoning home, and block ABC.com, that still won't stop them from using phonehome.ABC.com or ABCPhoneHome.com)

.htaccess has no effect on this, except maybe to set PHP INI options to disable file_get_contents, curl, etc, but by doing so you stand a good chance of breaking functionality of the program (depending on what the program is, what it does, etc)

your only real option here is to install it on it's own private server, setup wireshark to dump all incoming and outgoing connections (preferably to a sql database), use it normally for a few weeks (or longer) and manually crawl through your traffic logs by hand looking for suspicious activity. or read the source from cover to cover and pray they didn't obfuscate the nefarious bits.

in other words, it might be possible to do this, but unless you're willing to invest some serious time and effort into figuring out how, you won't ever know for sure.
Click to expand...

So basically, by the time you've put in all the effort of learning what Uplinked just described, you could have just have easily purchased the software you're trying to rip and saved your time/money :)
 
It's more about preventing it from stealing campaign data. Yeah, maybe I'm just paranoid.

Thanks for the suggestions though. I'll install it on my desktop, run with some dummy data for a while and see what happens.
 
If there's specific data you're looking for, you might find a shortcut --
Name your campaign PenisDesignerFlyfishingGear or GoldfishCanonballHardon and search for that in your wireshark logs. What may have otherwise taken weeks to find might present itself a lot quicker.

Unless they've encoded the data before sending it over the wire, in which case, good luck bro, you've just gotta hand-check every unrecognized domain and IP address your server is communicating with.
 
You must log in or register to reply here.
Top Bottom
Back