Re: Associating outgoing connections to a file or PID in Redhat Linux 7.1...
From: David (email@example.com)
From: David <firstname.lastname@example.org> Date: Sun, 09 Mar 2003 02:45:45 GMT
Scott Seltzer wrote:
> A server that I've been working on recently has been sending some
> strange connection attempts recently.
> I checked around for any signs of intrusion and couldn't find any
> (checked the logs for both entries and deletions, ran chkrootkit,
> verified that all of the standard binaries such as ls, ps, find,
> netstat, etc... were correct and unmodified, checked for new users and
> hidden files/folders, checked the cron files and logs), but still
> these connections attempts keep going out. The target IP's seem to be
> incrementing, but it's always targetting the https port. I'm trying
> associate a PID with these connections, but so
> far I'm not having much luck. netstat -p isn't helping any, the
> connections are rarely established, and it never shows a PID or
> that initiated the attempts. Attempts to use fuser to track them down
> have also failed.
> I think what I need is a sniffer that will log it, but I'd like some
> advice on what I should use. I looked into tcpspy, but this is an SMP
> box, and apparantly tcpspy doesn't play well with SMP. The one version
> I found that was supposed to required me to load modules into the
> kernel, and hinted that I may need to patch and recompile. This is a
> production server, so I'm really not looking to do that.
> Any suggestions, either on a sniffer I can use, or a method that I've
> missed? I'm running on far too little sleep, so I might have missed
> something basic.
Sniffer = snort
-- Confucius: He who play in root, eventually kill tree. Registered with the Linux Counter. http://counter.li.org Slackware 9.0-rc1 Kernel 2.4.20 i686 (GCC) 3.2.2 Uptime: 4 days, 20:42, 1 user, load average: 1.19, 1.20, 1.13