In case of a compromise, there are usually two ideas:
take the machine off the net NOW, as it may inflict more damage. Check how the bad guy did come in and rebuild the machine from scratch without that specific loophole. Only restore from backups what exactly has been verified as "okay", don't be tempted to restore "the latest backup" and "remove some suspicious scripts". You don't know when the intruder entered your box, and with some bad luck, your restore from backup otherwise may also re-install the intruder's rootkit or other malware.
create forensically useful information and take the machine offline afterwards.
Forensic information is more along this:
- https://github.com/504ensicsLabs/LiME to snapshot your RAM to disk (or network)
tcpdump -s 0 -w dumpfile.pcap
to capture network traffic and later analyse this on a different/dedicated host, e.g. using wireshark or similar software.
Anyway: - Be aware that the attacker is not limited to tcp. they may also use udp or just any ip-based protocol. - If the intruder gained root access, they may have altered the logging mechanisms. You can't really trust the machine's logs anymore, the logs may have been filtered.
If you'd still like to perform some iptables logging:
iptables -I OUTPUT -p tcp -j LOG --log-prefix "LOCALHOST SOURCED IT" --log-level 7
should do the trick.
'-I OUTPUT'
instead of'-A OUTPUT'