Finding outbound connections from Apache/PHP

You can modify suhosin to do simulation mode that actually simulates, then, blacklist the commands used to open external connections. I posted the code fix the other day, but, the thread was deleted.

Line 1588 of suhosin-0.9.27/execute.c, comment out goto execute_internal_bailout;

if(SUHOSIN_G(func_blacklist) != NULL) {
    if(zend_hash_exists(SUHOSIN_G(func_blacklist), lcname, function _name_strlen+1)) {
        suhosin_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
        // goto execute_internal_bailout;
    }
}

(the wiki mangled that code, not going to take the time to try and figure that out)

Simulation mode is the default:

suhosin.simulation = on
suhosin.executor.func.blacklist = include,include_once,require_once,open,file_get_contents

add any additional commands that you want to have logged. You'll get a log entry like:

Jun 24 06:32:07 machinexx suhosin[1086]: ALERT-SIMULATION - function within blacklist called: exec() (attacker '11.22.71.67', file '/var/www/domain.com/tp/top_thumb.php', line 283)

From there, at least you have a set of target files to take a look at. I do not recommend using suhosin in this manner, but, when you're looking for a needle in a haystack, sometimes you need to make the tools work the way they should.

Unless your applications/websites in PHP had a logging system, you cannot see who did what.

Apache or PHP do not keep an outbound connection log.

yeap php and apache do not log any outbound connections.. Anyway to run php script you need to have a request from user. You can always see who launched the script. To monitor outbound connections you can setup firewall and log everything what is being outbounded and then configure log system to catch outogoing connection from every package you want.