RE: how to trace what is accessing the nic ?

From: Burton Strauss (BStrauss3_at_comcast.net)
Date: 04/23/05

  • Next message: Lars Bay: "Re: toolkits"
    To: "'Bonmariage, Serge'" <serge.bonmariage@GETRONICS.com>, <security-basics@securityfocus.com>
    Date: Sat, 23 Apr 2005 09:20:30 -0500
    
    

    netstat -a

    That will show you (unless you've been rootkitted) which process has what
    port open.

    Also, you might want to dump the packet details - that might have
    interesting data.

    -----Burton

    -----Original Message-----
    From: Bonmariage, Serge [mailto:serge.bonmariage@GETRONICS.com]
    Sent: Friday, April 22, 2005 8:45 AM
    To: security-basics@securityfocus.com
    Subject: how to trace what is accessing the nic ?

    Hi everyone,

    There is happening something very strange on one of our Linux SMTP gateway.
    We've recently discovered that it is sending some strange TCP packets to
    always the same private address.

    [root@server1 root]# tcpdump -i eth0
    tcpdump: listening on eth0
    14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
    0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 >
    192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
    0,nop,wscale 0> (DF)
    14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
    312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
    0,nop,wscale 0> (DF)

    However we don't detect any other abnormal acvtivity.

    The question is quite basic but is there a way to trace which process is
    trying to send these packets?

    Thanks,

    Serge Bonmariage
    Getronics Belgium NV
    www.getronics.com


  • Next message: Lars Bay: "Re: toolkits"

    Relevant Pages

    • [opensuse] Re: Xen bridge without IP
      ... I can't see the phisycal interface enslaved to the bridge ... Eth0 will be used exclusively for administration tasks and for heartbeat. ... tcpdump: WARNING: eth2: no IPv4 address assigned ... packets received by filter ...
      (SuSE)
    • Re: ntpd fails to synchronize on FreeBSD 6.3-STABLE
      ... 12 packets received by filter ... Then let the tcpdump go for about 15 minutes. ... Firewall on my router/gateway is disabled, ... # shutdown -r now ...
      (freebsd-stable)
    • Re: flooding an embedded device with isic and tcpreplay causing different results
      ... You can try use -nn option at tcpdump too, ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
      (Pen-Test)
    • Re: Should route, but doesnt
      ... > I bought the Netgear box last June. ... > Packets get from the RedHat 7.2 box to my LAN or to the Internet. ... You might find it useful to watch the packets with tcpdump, ... with the private subnets. ...
      (comp.os.linux.networking)
    • Re: isc-dhcp-server not receiving DHCPDISCOVER
      ... Wireshark is good for interpreting the contents of the packets. ... The biggest thing about tcpdump is that there will almost always be ... Sometimes lots of noise. ... "not port foo" ignores that port. ...
      (Debian-User)