RE: how to trace what is accessing the nic ?

From: Burton Strauss (BStrauss3_at_comcast.net)
Date: 04/23/05

  • Next message: Lars Bay: "Re: toolkits"
    To: "'Bonmariage, Serge'" <serge.bonmariage@GETRONICS.com>, <security-basics@securityfocus.com>
    Date: Sat, 23 Apr 2005 09:20:30 -0500
    
    

    netstat -a

    That will show you (unless you've been rootkitted) which process has what
    port open.

    Also, you might want to dump the packet details - that might have
    interesting data.

    -----Burton

    -----Original Message-----
    From: Bonmariage, Serge [mailto:serge.bonmariage@GETRONICS.com]
    Sent: Friday, April 22, 2005 8:45 AM
    To: security-basics@securityfocus.com
    Subject: how to trace what is accessing the nic ?

    Hi everyone,

    There is happening something very strange on one of our Linux SMTP gateway.
    We've recently discovered that it is sending some strange TCP packets to
    always the same private address.

    [root@server1 root]# tcpdump -i eth0
    tcpdump: listening on eth0
    14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
    0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 >
    192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
    0,nop,wscale 0> (DF)
    14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
    0,nop,wscale 0> (DF)

    However we don't detect any other abnormal acvtivity.

    The question is quite basic but is there a way to trace which process is
    trying to send these packets?

    Thanks,

    Serge Bonmariage
    Getronics Belgium NV
    www.getronics.com


  • Next message: Lars Bay: "Re: toolkits"