Re: Associating outgoing connections to a file or PID in Redhat Linux 7.1...

From: David (thunderbolt01@netscape.net)
Date: 03/09/03


From: David <thunderbolt01@netscape.net>
Date: Sun, 09 Mar 2003 02:45:45 GMT

Scott Seltzer wrote:
> A server that I've been working on recently has been sending some
> strange connection attempts recently.
> I checked around for any signs of intrusion and couldn't find any
> (checked the logs for both entries and deletions, ran chkrootkit,
> verified that all of the standard binaries such as ls, ps, find,
> netstat, etc... were correct and unmodified, checked for new users and
> hidden files/folders, checked the cron files and logs), but still
> these connections attempts keep going out. The target IP's seem to be
> incrementing, but it's always targetting the https port. I'm trying
> to
> associate a PID with these connections, but so
> far I'm not having much luck. netstat -p isn't helping any, the
> connections are rarely established, and it never shows a PID or
> program
> that initiated the attempts. Attempts to use fuser to track them down
> have also failed.
>
> I think what I need is a sniffer that will log it, but I'd like some
> advice on what I should use. I looked into tcpspy, but this is an SMP
> box, and apparantly tcpspy doesn't play well with SMP. The one version
> I found that was supposed to required me to load modules into the
> kernel, and hinted that I may need to patch and recompile. This is a
> production server, so I'm really not looking to do that.
>
> Any suggestions, either on a sniffer I can use, or a method that I've
> missed? I'm running on far too little sleep, so I might have missed
> something basic.

Sniffer = snort

netstat -tupan

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
Slackware 9.0-rc1 Kernel 2.4.20 i686 (GCC) 3.2.2
Uptime: 4 days, 20:42, 1 user, load average: 1.19, 1.20, 1.13