Re: how to trace what is accessing the nic ?

• Previous message: Kelly Martin: "SF new column announcement: Sarbanes Oxley for IT Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 30 Apr 2005 09:13:20 -0700 (PDT)
To: security-basics@securityfocus.com

One simple way is to use the linux command "lsof" and filter for port
59806 (your source port). It should list out the program(s) that are
opening/listening on the socket.

- Balaji

#> Bonmariage, Serge#>
> Hi everyone,
>
> There is happening something very strange on one of our Linux SMTP
> gateway.
> We've recently discovered that it is sending some strange TCP packets to
> always the same private address.
>
> [root@server1 root]# tcpdump -i eth0
> tcpdump: listening on eth0
> 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
> 0,nop,wscale 0> (DF)
> 14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
> 0,nop,wscale 0> (DF)
> 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
> 0,nop,wscale 0> (DF)
>
> However we don't detect any other abnormal acvtivity.
>
> The question is quite basic but is there a way to trace which process is
> trying to send these packets?
>
> Thanks,
>
> Serge Bonmariage
> Getronics Belgium NV
> www.getronics.com
>
>
>
>
>
>

• Previous message: Kelly Martin: "SF new column announcement: Sarbanes Oxley for IT Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]