RE: Problem with outgoing packets to port 7. (Security problem?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Steve,

1) You can use netstat/lsof to track down the application sending these
packets.

2) Im not seeing any such packets in my firewall logs

3) To analyze these packets, use either tcpdump or Ethereal or both.
This is what i would do:

   1) tcpdump -s 1500 -i eth0 -w file.log dst port 7

      (This will log 1500bytes of each packet on eth0 to file.log (Why
1500 bytes? Thats the size of an ethernet MAC frame)

   2) Using Ethereal, open the file.log from Step 1), so you have a nice
graphical, point an click interface to analyze your packets.

If you suspect a system compromise download chkrootkit from
chkrootkit.org, and run it on your system.

Note that if you have been compromised, using netstat/lsof/tcpdump may
reveal nothing if the attacker has replaced the Redhat versions of these
tools with their own modified versions (ie to perform process hiding
etc)


HTH

- dan.



-----Original Message-----
From: steveo@syslang.net [mailto:steveo@syslang.net]
Sent: Monday, 21 October 2002 11:20 AM
To: Psyche List
Subject: Problem with outgoing packets to port 7. (Security problem?)


I am getting syslog messages that look like this:

Oct 20 18:53:36 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147 
DST=216.52.13.91 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP 
SPT=43931 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0 

I am only getting these messages because I have outbound packets with 
destination port 7 blocked. I think I may have been compromised in some 
way, just because the packets are outbound. They seem to come in groups
of 
6 at seemingly random intervals and seem to be focused on the following 
addresses:
	216.52.13.9[014] and 209.204.62.150

I have a number of questions about how to deal with this issue:

1. How can I find out what program is running to produce this?
2. Is anyone else getting messages like this in their syslog? (You would

   need your firewall to block appropriately to see this.)
3. Is there any way that I can get access to those packets and see what 
   the message is that they are trying to send?

Nothing really bad has happened yet, but I'm getting nervous.

Thanks everyone.

-- 
-Time flies like the wind. Fruit flies like a banana. Stranger things
have -
-happened but none stranger than this. Does your driver's license say
Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are
all-
-individuals! What if this weren't a hypothetical question?
steveo@syslang.net



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
[Index of Archives]     [Fedora General Discussion]     [Red Hat General Discussion]     [Centos]     [Kernel]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux