LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-18-2003, 12:17 PM   #1
gbell72
Member
 
Registered: Sep 2003
Location: Toronto, Canada
Distribution: FreeBSD
Posts: 78

Rep: Reputation: 15
tcpdump


Hi
I've been following an ip for about the past week trying to determine what this person has been up to with no luck. Over the past 2 days they have been hitting my firewall with about 7 different ip's in the range which I will post momentarily. It has stopped periodically but when using tcpdump port 80 I see many instances from them once again.

12:56:22.053052 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 > 165.254.12.101.http: S 152256065:152256065(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:56:22.089174 165.254.12.101.http > CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242: S 4259504041:4259504041(0) ack 152256066 win 65535 <mss 1460,nop,nop,sackOK> (DF)
12:56:22.089562 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 > 165.254.12.101.http: . ack 1 win 8760 (DF)
12:56:22.090183 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3242 > 165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)

12:56:22.780155 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 > 165.254.12.101.http: S 152256793:152256793(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
12:56:22.789197 poppit03.pogo.com.http > CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3244: P 1116:1303(187) ack 1166 win 24820 (DF)
12:56:22.820501 165.254.12.101.http > CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245: S 4268719919:4268719919(0) ack 152256794 win 65535 <mss 1460,nop,nop,sackOK> (DF)
12:56:22.820904 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 > 165.254.12.101.http: . ack 1 win 8760 (DF)
12:56:22.821503 CPE0004758dbf50-CM024480006068.cpe.net.cable.rogers.com.3245 > 165.254.12.101.http: P 1:280(279) ack 1 win 8760 (DF)

Has anyone else been seeing the likes of this, or can anyone enlighten me as to what I'm actually seeing here as this sort of thing boggles my mind. I've just been googling this ip and also came up with 165.254.12.101 being some sort of virtual directory.

TIA

gbell

Last edited by gbell72; 09-18-2003 at 12:45 PM.
 
Old 09-18-2003, 01:21 PM   #2
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
dump the packet contents here
 
Old 09-18-2003, 01:30 PM   #3
gbell72
Member
 
Registered: Sep 2003
Location: Toronto, Canada
Distribution: FreeBSD
Posts: 78

Original Poster
Rep: Reputation: 15
476 packets received by filter
0 packets dropped by kernel

This all I get when I ^C I'm thinking that it could be ad.us.doubleclick.net because I'm seeing quite a number of packets being sent from there also.

Last edited by gbell72; 09-18-2003 at 01:34 PM.
 
Old 09-18-2003, 01:41 PM   #4
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
well these look like packets you are sending to a verio webserver - do you have a network behind this box, or is this box stand alone.

noc:/home/admin# whois 165.254.12.101

OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US

ReferralServer: rwhois://rwhois.verio.net:4321/

NetRange: 165.254.0.0 - 165.254.255.255
CIDR: 165.254.0.0/16
NetName: VRIO-165-254
NetHandle: NET-165-254-0-0-1
Parent: NET-165-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2001-02-08
Updated: 2003-08-27

TechHandle: VIA4-ORG-ARIN
TechName: Verio, Inc.
TechPhone: +1-303-645-1900
TechEmail: vipar@verio.net

OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net

OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@verio.net

OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@verio.net

# ARIN WHOIS database, last updated 2003-09-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
noc:/home/admin#
 
Old 09-18-2003, 01:44 PM   #5
gbell72
Member
 
Registered: Sep 2003
Location: Toronto, Canada
Distribution: FreeBSD
Posts: 78

Original Poster
Rep: Reputation: 15
That I do someone is browsing on one of my other boxes as we speak so I guess that is what it is.

Thanks

gbell
 
Old 09-18-2003, 02:08 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you ever want to try and decipher a tcpdump output a little more clearly, try using ethereal. It acts as a GUI for tcpdump, and it gives you the option to decode packet contents and it has a feature to "follow tcp stream" which will essentially give you the decoded output of a reassembled tcp packet stream. It's a useful tool to have around.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
10.1 and tcpdump pr0nd3xtr Slackware - Installation 0 03-09-2005 03:37 PM
tcpdump telestudent Linux - Software 1 03-03-2005 10:07 PM
help tcpdump blackzone Linux - Networking 1 10-08-2004 07:07 AM
tcpdump dlm4444 Linux - Networking 1 02-15-2004 03:03 PM
tcpdump isbrower Linux - Networking 2 06-11-2001 03:48 PM


All times are GMT -5. The time now is 07:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration