LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-04-2005, 12:11 PM   #1
zoubidoo
LQ Newbie
 
Registered: Mar 2004
Posts: 27

Rep: Reputation: 15
Tracing traffic origins


I have some outbound traffic that I can't account for (port 81). Firestarter (my firewall interface) reports blocking the packets but doesn't say which program/process is responsible. I'd like to know if there is a way of identifying the source.

I'm starting to get worried I have a trojan....help!
z.
 
Old 05-05-2005, 08:10 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
You should be able to identify what program is using port 81 with either lsof -i or netstat -pantu. You also might want to run nmap on your system (both internally and from outside if you can) and make sure that you can indentifiy all of the listening processes. I would also download and run chkrootkit and rkhunter to check for installed rootkits. You could also use a live CD distro like Knoppix to scan your hard drive for rkhunter and chkrootkit.
 
Old 05-06-2005, 06:09 AM   #3
zoubidoo
LQ Newbie
 
Registered: Mar 2004
Posts: 27

Original Poster
Rep: Reputation: 15
Trojan tracking

Thanks Hangdog42, this is just what I was looking for. Tried nmap, rkhunter and chkrootkit, fortunately no surprises. Haven't tried booting from CD yet though - can this really make much difference? The suspicious traffic isn't frequent so I hashed together a script to periodically check if the port has been accessed and if so record the open network files. Of course, this assumes that the connections will be open long enough to record them...

Code:
oldaccesses=0
while (true) do
   accesses=`dmesg |grep Outbound |grep 'SPT=81'|wc -l` 
   if  ( test $oldaccesses != $accesses ) then
      lsof -i >> port81_watcher
   fi
   sleep 60 
done
 
Old 05-06-2005, 08:28 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Booting from a CD can make a difference when using tools like chkrootkit or rkhunter to scan for changes because any intruder hasn't had a chance to tamper with them. Of course it is best if you either have a CD that was burned prior to the intrusion or burn a new one on a separate computer. However, since the CD boots from its own, untainted, kernel, any running exploits that might be picked up by nmap, lsof or netstat, are going to be gone.

If you reach the point where you're pretty sure you haven't been cracked, I'd strongly suggest setting up a file monitoring system. Aide, Tripwire and Samhain are three pretty popular monitors. As long as you keep a copy of their database off the system, you can always go back and scan from a trusted point and see exactly what files have been altered. You also might consider running Snort if you keep this attached to the internet all the time. Snort won't prevent any attacks, but it can help alert you when one happens.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
origins of 'konqueror'! aru_04 General 3 08-02-2005 06:39 PM
Ethernet Traffic tracing kinct Linux - Newbie 4 01-08-2004 03:27 AM
tracing ips endezeichen Linux - Networking 6 11-27-2003 07:38 AM
Wireless traffic stomps isdn traffic on gateway machine Radix999 Linux - Wireless Networking 0 11-14-2003 12:54 AM


All times are GMT -5. The time now is 11:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration