Tracking outgoing connection attempts to a file or PID...

From: Scott Seltzer (sseltz3@mindspring.com)
Date: 03/08/03

  • Next message: all mail refused: "Re: Tracking outgoing connection attempts to a file or PID..." 
    From: sseltz3@mindspring.com (Scott Seltzer)
Date: 8 Mar 2003 12:08:27 -0800

    A server that I've been working on recently has been sending some
    strange connection attempts to a net block (in Brazil) recently.
    I checked around for any signs of intrusion and couldn't find any
    (checked the logs for both entries and deletions, ran chkrootkit,
    verified that all of the standard binaries such as ls, ps, find,
    netstat, etc... were correct and unmodified, checked for new users and
    hidden files/folders, checked the cron files and logs), but still
    these connections attempts keep going out. The target IP's seem to be
    incrementing, but it's always on the https port. I'm trying to
    associate a PID with these connections, but so
    far I'm not having much luck. netstat -p isn't helping any, the
    connections are never established, so it doesn't show a PID or program
    that initiated the attempts.

    I think what I need is a sniffer that will log it, but I'd like some
    advice on what I should use. I looked into tcpspy, but this is an SMP
    box, and apparantly tcpspy doesn't play well with SMP. The one version
    I found that was supposed to required me to load modules into the
    kernel, and hinted that I may need to patch and recompile. This is a
    production server, so I'm really not looking to do that.

    Any suggestions, either on a sniffer I can use, or a method that I've
    missed? I'm running on far too little sleep, so I might have missed
    something basic.
    It's a redhat 7.1 box.

  • Next message: all mail refused: "Re: Tracking outgoing connection attempts to a file or PID..."

    Relevant Pages

    • Re: Win2k server, strange linux log files.. confused.? so am I.
      ... Anyway this is the main server ... > My linux pc has the following ports open - ssh, http, ftp and X. ... > snort logs each day and never got any bad messages. ... > the windows 2k server up to allow inbound TCP/IP connections - i.e to allow ...
      (comp.os.linux.security)
    • Re: SBS 2003 IIS BASED SERVICES FAIL INTERMITTENTLY
      ... If I read your post correctly, you have a switch where the SBS ... Run DHCP server on your SBS, and set all client machine nics to dynamic. ... Once you have your nics configured, run the Connect to the Internet wizard, ... QUESTION1 - what is REFUSING CONNECTIONS? ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS Exchange 2003: too many "Current Sessions" opened
      ... So far everything is good and now I'm just monitoring my exchange. ... get the SMTP service to stop hanging in the first place. ... won't have dead connections. ... work for now until I put into production new server hardware with sbs 2003 ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS Exchange 2003: too many "Current Sessions" opened
      ... You really should go through the steps I posted and get the SMTP service to stop hanging in the first place. ... You'll be happier, you won't be clubbing your server every day with a kill script, and you won't have dead connections. ... You do *not* need to restart the server, ...
      (microsoft.public.windows.server.sbs)
    • RE: Remote access problem
      ... CEICW setting RWW is OK. ... I clicked "Connect to server desktops" and got the screen with all the ... Remote connections ... > Internet Connection wizard' to configure the server networking settings? ...
      (microsoft.public.windows.server.sbs)