RE: how to trace what is accessing the nic ?

From: Simon Li (simon.li_at_themachineroom.co.uk)
Date: 04/25/05

  • Next message: Kelly Martin: "SF new article announcement: Bluetooth Security Review, Part 1"
    Date: Mon, 25 Apr 2005 09:47:02 +0100
    To: <security-basics@securityfocus.com>
    
    

    > -----Original Message-----
    > From: Bonmariage, Serge [mailto:serge.bonmariage@GETRONICS.com]
    > Sent: 22 April 2005 14:45
    > To: security-basics@securityfocus.com
    > Subject: how to trace what is accessing the nic ?
    >
    > Hi everyone,
    >
    > There is happening something very strange on one of our Linux
    > SMTP gateway.
    > We've recently discovered that it is sending some strange TCP
    > packets to always the same private address.
    >
    > [root@server1 root]# tcpdump -i eth0
    > tcpdump: listening on eth0
    > 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp
    > 1658853393 0,nop,wscale 0> (DF) 14:29:53.222040
    > server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp
    > 1658853693 0,nop,wscale 0> (DF)
    > 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp
    > 1658854293 0,nop,wscale 0> (DF)
    >
    > However we don't detect any other abnormal acvtivity.
    >
    > The question is quite basic but is there a way to trace which
    > process is trying to send these packets?
    >

    If you can catch the process in the middle of it sending some packets,
    try running
    netstat --inet -nap
    as root. I think this gives you a list of all processes with network
    sockets open, together with the process id and name.

    Simon

    This e-mail message (including its attachments) is private, is intended for the recipient named in it and may contain material which is confidential and privileged. No-one other than the named recipient may read, copy, rely on, redirect, save or alter the message or any part of it or any attachment to it in any way. VMS does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not represent those of VMS unless otherwise specifically stated. While reasonable effort has been made to ensure this message is free of viruses, opening and using this message is at the risk of the recipient.


  • Next message: Kelly Martin: "SF new article announcement: Bluetooth Security Review, Part 1"

    Relevant Pages

    • Re: TCP stack bug related to F-RTO?
      ... On the wrong tcp checksum, that's because of hardware checksum offload. ... As for the seq/ack number, because the trace is long, I deliberately removed those irrelevant packets between after the three-way handshake and when the problem happens. ... The client opens up a big window, ...
      (Linux-Kernel)
    • Re: 1-to-many port "scan"s?
      ... TTLs vary wildly between successive packets, ... But the actual sequence looks strange. ... the correct response. ... you are worried about flooding your upstream use the limit module to limit ...
      (comp.os.linux.security)
    • Re: TCP stack bug related to F-RTO?
      ... in the trace), but all of them are dropped due to some ... Server is still in slow start mode, ... time retransmission timer expiring before retransmit the lost packets. ...
      (Linux-Kernel)
    • Re: Heir tracing
      ... they then contact the possible recipient and they take a cut ... tracing and then you would have to trace all the other beneficiaries. ... themselves with proof that they are indeed an heir to the estate, ... heir to trace any one else its up to the executors of the estate. ...
      (uk.legal)
    • Re: ADAM handshaking very slow in a DMZ
      ... The missing packets are LLC checks and other unrelated packets. ... It also looks from your trace ... Key Exchange, Change Cipher Spec, Encrypted Handshake Message" ...
      (microsoft.public.windows.server.active_directory)