Re: Bizarre connections from and to a FC7 unattended

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 23 Jul 2007 14:53:35 -0300
Thomas TS <ttsoares@xxxxxxxxxxxxxxx> wrote:

> This is a FC7 full updated.
> The system is running with no user logged in.
> Just some default daemons and services:
> 
> # netstat -apn | grep LIST | grep tcp
> 
> tcp        0      0 127.0.0.1:8000                
> 0.0.0.0:*                  LISTEN      2580/nasd
> tcp        0      0 192.168.122.1:53            
> 0.0.0.0:*                  LISTEN      2834/dnsmasq
> tcp        0      0 0.0.0.0:821                       
> 0.0.0.0:*                  LISTEN      2335/rpc.statd
> tcp        0      0 127.0.0.1:631                   
> 0.0.0.0:*                  LISTEN      2525/cupsd
> tcp        0      0 127.0.0.1:25                     
> 0.0.0.0:*                  LISTEN      2559/sendmail: acce
> tcp        0      0 :::111                                 
> :::*                           LISTEN      2301/rpcbind
> tcp        0      0 :::22                                   
> :::*                           LISTEN      2539/sshd
> 
> 
> This box is behind a NAT and from the gateway one can look the 
> connections to/from the FC7 system.
> 
> After some time monitoring with iptraf several - for me - strange 
> connections appears...
> 
> ┌ TCP Connections (Source Host:Port) ───────────── Packets ─── Bytes
> ─── Flags ──── Iface ─────┐
> │┌192.168.1.254:42977                                                    
> =     695           45740     --A-                  eth2       │
> │└192.168.1.129:22                                            
>                =     575           96948     -PA-                
> eth2       │
> │┌193.28.235.40:80                                                
>            =       0               0            ----                  
> eth2       │
> │└192.168.1.129:45869                                                    
> =       4             240          S---                 eth2       │
> │┌192.168.1.129:44799                                                    
> =       8             565          --A-                 eth2       │
> │└131.252.208.96:80                                                
>         =       7            2730    CLOSED             eth2       │
> │┌193.140.100.100:21                                            
>           =       0               0             ----                 
> eth2       │
> │└192.168.1.129:55991                                                    
> =       1              46       RESET               eth2       │
> │┌192.168.1.129:56462                                                    
> =       0               0            ----                  eth2
>
> │└64.90.181.77:55979                                                   
>    >       1              52           --A-
>    > eth2       │
> │┌192.168.1.129:22                                                     
>      =      49            6668     CLOSED           eth2       │
> │└192.168.1.254:36544                                                    
> =      64            7008     CLOSED           eth2       │
> │┌192.168.1.129:44507                                                    
> =       9             641          --A-                 eth2       │
> │└209.132.176.120:80                                                  
>     =       9            4689     CLOSED            eth2       │
> 
> Some are obviously acceptable, as 209.132.176.120  
> admin.fedora.redhat.com  but a lot ones are to places very strange !!!
> 
> I am already blocking all to/from
> 
> 198.82.161.0/24
> 193.28.235.0/24
> 147.102.222.0/24
> 131.252.208.0/24
> 
> because could not figure out why and witch program was doing a lot of 
> uploads from my system to hosts at IPs at those class B and C nets...
> 
> Am i to paranoid ?
> 

It is possible, depending on how you are logging the TCP packets
that you are seeing failed attempts rather than actual connections.  

I am not an expert (or even very knowledgeable)  but I would be
concerned or at least investigate.

Run 
"/sbin/ausearch -i -ts yesterday | grep -i fail | less"

I suspect you will see lots of hits on ssh.  Perhaps someone succeeded.

"/sbin/ausearch -i -ts yesterday | grep -i ssh | grep -i success"

I think Fedora locks down the sendmail server by default, but you could
check it as well.  Spammers are always looking for open relays, and
it is another exposure to the web for crackers to exploit.

You can get more info on ausearch with man ausearch.

Remove any chkrootkit in case it is compromised and install again.

yum remove chkrootkit*
yum install chkrootkit*

Then run it with the fresh copy to see if it finds any infestations.
Not perfect, but should catch crackers that aren't skilled.




-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux