| | 2 | |
| | 3 | == Track outgoing connections == |
| | 4 | |
| | 5 | Sometimes a compromise results in code periodically checking in with a control center. Often a abuse reporting site will let us know it's happening and will tell us what the IP address of the control center is. |
| | 6 | |
| | 7 | It can still be very difficult to figure out which site and which user is compromised. |
| | 8 | |
| | 9 | To help catch this behavior: |
| | 10 | |
| | 11 | * Edit /etc/default/mf-ip-track-outgoing-connections and add the IP address we are looking for. |
| | 12 | * Start the service: `systemctl start mf-ip-track-outgoing-connection` |
| | 13 | * Check journalctl for hits (`journcalctl -u mf-ip-track-outgoing-connections -f` |
| | 14 | |
| | 15 | * |
| | 16 | |
