We've got a customer who is running some sort of web-app and probing port 1080 on other networks. We know it's a web-app because the source IP in reports from other providers have all pointed at webservers with no shell access.

I am looking for ways to detect this user and not coming up with anything so far. Any good ideas? Some way to use tcpdump or netstat perhaps?

Got it:

First,

netstat -pn | grep 1080


The program name is displayed in the last field of output.

Then,

ps -auxwww | grep [program name]

The username is the first field.

Then, delete the user account. Adios, russian hacker.

Set up ipchains to null route any outbound port 1080 traffic. I'm too tired to write the exact code but it would not be hard to do, and then just drop the command in to your rc.local file to run. When the guy gives up just take it out.