Re: How to inentify local source of connection (program and user)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2008-11-30 at 06:06 -0800, akuda wrote:
> Hi,

> Recently I found some unidentified outgoing connections (UOC, instead of
> UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
> ipTables). Those UOC occurs soon after boot time, even though I closed all
> services. These are DNS calls.

	DNS queries are extremely common (almost unavoidable).  Most likely,
they are reverse lookups looking for a name associated with your
interface address.  There are any one of a number of applications which
may do a "gethostbyname" or "gethostbyaddress" which will trigger DNS
queries.  If you've got a graphical display (X, xdm, gdm) starting up I
can almost guarantee that you'll see DNS queries.  If you are getting
your IP address via dhcp, you're likely to see associated DNS queries in
response to any one of a number of DHCP options.  If you've got logging
enabled, you're likely to see DNS queries.

>    So I asked my friends full-time admins, how to check which program
> requests access to internet, and what user started this program. If, for
> example, RIAA would come to some University telling that from their IP
> someone is downloading "Lilo & Stitch" illegally, the admin should be able
> to tell who turned on bittorrent :) . And what stroke me was the fact, that
> they actually didn't know! They asked me to hunt for those UOC, and then
> type netstat with some options, to get the path to the binary, and locate in
> someone's home directory (the bittorrent client won't be probably installed
> as general bin for all users :) ).

	Someone else suggested lsof.  You say these are connections but then
say they are DNS which really probably means UDP (which is
connectionless) and you're probably not going to see them up for very
long, like long enough to catch them manually.  Things like bittorrent
are relatively easy to track down because they involved long persistent
TCP connections.  DNS queries are almost ubiquitous on a system, though.
I don't see how you would run a system and totally avoid DNS queries or
why you would want to even try.

>    Any other idea how to do it? Can I force linux to log who and how is
> requesting a outgoing connection?

	You could play with some of the iptables facilities.  You could also
set up your own nameserver and force DNS queries through localhost and
log them using "bind" to see what the queries are.  You could also fire
up tcpdump and capture what the queries are.  You could also play with
the audit subsystem and trap on DNS requests.  I'm not sure any of it's
worth the effort for mere DNS queries.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@xxxxxxxxxxxx
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux