Re: how to trace what is accessing the nic ?

From: Balaji Prasad (bpmlist_at_sonic.net)
Date: 04/30/05

  • Next message: Glenn English: "what's this (email question)"
    Date: Sat, 30 Apr 2005 09:13:20 -0700 (PDT)
    To: security-basics@securityfocus.com
    
    

    One simple way is to use the linux command "lsof" and filter for port
    59806 (your source port). It should list out the program(s) that are
    opening/listening on the socket.

    - Balaji

    #> Bonmariage, Serge#>
    > Hi everyone,
    >
    > There is happening something very strange on one of our Linux SMTP
    > gateway.
    > We've recently discovered that it is sending some strange TCP packets to
    > always the same private address.
    >
    > [root@server1 root]# tcpdump -i eth0
    > tcpdump: listening on eth0
    > 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
    > 0,nop,wscale 0> (DF)
    > 14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
    > 0,nop,wscale 0> (DF)
    > 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
    > 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
    > 0,nop,wscale 0> (DF)
    >
    > However we don't detect any other abnormal acvtivity.
    >
    > The question is quite basic but is there a way to trace which process is
    > trying to send these packets?
    >
    > Thanks,
    >
    > Serge Bonmariage
    > Getronics Belgium NV
    > www.getronics.com
    >
    >
    >
    >
    >
    >


  • Next message: Glenn English: "what's this (email question)"