Re: Associating outgoing connections to a file or PID in Redhat Linux 7.1...

From: David (thunderbolt01@netscape.net)
Date: 03/09/03


From: David <thunderbolt01@netscape.net>
Date: Sun, 09 Mar 2003 02:45:45 GMT

Scott Seltzer wrote:
> A server that I've been working on recently has been sending some
> strange connection attempts recently.
> I checked around for any signs of intrusion and couldn't find any
> (checked the logs for both entries and deletions, ran chkrootkit,
> verified that all of the standard binaries such as ls, ps, find,
> netstat, etc... were correct and unmodified, checked for new users and
> hidden files/folders, checked the cron files and logs), but still
> these connections attempts keep going out. The target IP's seem to be
> incrementing, but it's always targetting the https port. I'm trying
> to
> associate a PID with these connections, but so
> far I'm not having much luck. netstat -p isn't helping any, the
> connections are rarely established, and it never shows a PID or
> program
> that initiated the attempts. Attempts to use fuser to track them down
> have also failed.
>
> I think what I need is a sniffer that will log it, but I'd like some
> advice on what I should use. I looked into tcpspy, but this is an SMP
> box, and apparantly tcpspy doesn't play well with SMP. The one version
> I found that was supposed to required me to load modules into the
> kernel, and hinted that I may need to patch and recompile. This is a
> production server, so I'm really not looking to do that.
>
> Any suggestions, either on a sniffer I can use, or a method that I've
> missed? I'm running on far too little sleep, so I might have missed
> something basic.

Sniffer = snort

netstat -tupan

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
Slackware 9.0-rc1 Kernel 2.4.20 i686 (GCC) 3.2.2
Uptime: 4 days, 20:42, 1 user, load average: 1.19, 1.20, 1.13


Relevant Pages

  • Re: Win2k server, strange linux log files.. confused.? so am I.
    ... Anyway this is the main server ... > My linux pc has the following ports open - ssh, http, ftp and X. ... > snort logs each day and never got any bad messages. ... > the windows 2k server up to allow inbound TCP/IP connections - i.e to allow ...
    (comp.os.linux.security)
  • Re: Viewing Remote Web Workplace Connections
    ... connected via RWW if I need to reboot the server or if the server is running ... You want to view the remote desktop connections through Remote Web ... logoff actions no matter users logs onto client locally or remotely. ... logs only when users connect to the desktop through terminal service (RWW). ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 IIS BASED SERVICES FAIL INTERMITTENTLY
    ... If I read your post correctly, you have a switch where the SBS ... Run DHCP server on your SBS, and set all client machine nics to dynamic. ... Once you have your nics configured, run the Connect to the Internet wizard, ... QUESTION1 - what is REFUSING CONNECTIONS? ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS Exchange 2003: too many "Current Sessions" opened
    ... So far everything is good and now I'm just monitoring my exchange. ... get the SMTP service to stop hanging in the first place. ... won't have dead connections. ... work for now until I put into production new server hardware with sbs 2003 ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS Exchange 2003: too many "Current Sessions" opened
    ... You really should go through the steps I posted and get the SMTP service to stop hanging in the first place. ... You'll be happier, you won't be clubbing your server every day with a kill script, and you won't have dead connections. ... You do *not* need to restart the server, ...
    (microsoft.public.windows.server.sbs)