LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-10-2012, 03:47 AM   #1
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Rep: Reputation: Disabled
Strange connections to port 5060


Hello,

I have an openVZ server. I see from ntop that a host make connections to port 5060 often and make huge traffic.

But i cant see exactly the ip of the virtual machine does this, i see the main's node ip instead.


I tried to block traffic from/to 5060 from iptables but no luck.

CentOS 6 64bit
OpenVZ
SolusVM

Thanks
 
Old 12-10-2012, 06:13 AM   #2
Air-Global
Member
 
Registered: Dec 2012
Location: The Netherlands
Distribution: Fedora 27 & CentOS 7
Posts: 62

Rep: Reputation: 8
Quote:
Originally Posted by linuxakias View Post
a host
Could you try to be more specific.
Is it one of your own systems, or does it come over the internet?
Does your system request the connections first, or are they requested from your system?
And how is your virtual machine connected to the network, via NAT or Bridge?
Could you try to sniff the packages and post their headers here?

Last edited by Air-Global; 12-10-2012 at 06:15 AM.
 
Old 12-10-2012, 06:26 AM   #3
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
extra infos

Quote:
Originally Posted by Air-Global View Post
Could you try to be more specific.


Is it one of your own systems, or does it come over the internet?
it came over the internet

Does your system request the connections first, or are they requested from your system?
how can find out this?

And how is your virtual machine connected to the network, via NAT or Bridge?
via NAT

Could you try to sniff the packages and post their headers here?
what tool may i use to do this?

Thanks!
 
Old 12-10-2012, 07:48 AM   #4
Air-Global
Member
 
Registered: Dec 2012
Location: The Netherlands
Distribution: Fedora 27 & CentOS 7
Posts: 62

Rep: Reputation: 8
WireShark is an easy to use tool for this, there is a GnomeUI available for easy use (run it as root) there is a windows version available as well if you wish to run it from an other system (make sure you can sniff the network traffic of the other machine in this case, a good switch would prevent this from being possible)

http://www.wireshark.org/
 
Old 12-10-2012, 08:14 AM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
tcpdump or tshark could be handy and work on the CLI.
 
Old 12-10-2012, 08:27 AM   #6
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Dump file

Quote:
Originally Posted by Air-Global View Post
WireShark is an easy to use tool for this, there is a GnomeUI available for easy use (run it as root) there is a windows version available as well if you wish to run it from an other system (make sure you can sniff the network traffic of the other machine in this case, a good switch would prevent this from being possible)

http://www.wireshark.org/
Hello again !

Thank you for your time !

The dump

OPTIONS sip:XX.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:xxx.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:xxx.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:xxx.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK4a74d8f8;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as17b2c995

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 185cd45b4917f47461203fb71795db99@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:53 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0



OPTIONS sip:188.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK71313a79;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as7d7bf2f9

To: <sip:188.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 762d45ea3fd093ec6c24dab86c01b19d@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:17:07 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0
 
Old 12-10-2012, 08:30 AM   #7
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
add a filter to match the port you care about on the interface you care about... it's the same thing on wireshark tcpdump or tshark:

tshark -i eth0 tcp and port 5060
 
Old 12-10-2012, 08:42 AM   #8
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
Mon Dec 10 14:42:08 2012
UDP 217.23.94.3:5060 --> 188.40.41.144:5060 |

OPTIONS sip:188.40.41.144 SIP/2.0.
Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK7b8b21c4;rport.
Max-Forwards: 70.
From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0c2a70d2.
To: <sip:188.40.41.144>.
Contact: <sip:asterisk@217.23.94.3:5060>.
Call-ID: 694bfd032d1c7a184730b6d54953e578@217.23.94.3:5060.
CSeq: 102 OPTIONS.
User-Agent: zte.
Date: Mon, 10 Dec 2012 13:42:05 GMT.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH.
Supported: replaces, timer.
Content-Length: 0.
 
Old 12-10-2012, 08:44 AM   #9
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
There you have the culprit.
 
Old 12-10-2012, 08:45 AM   #10
Air-Global
Member
 
Registered: Dec 2012
Location: The Netherlands
Distribution: Fedora 27 & CentOS 7
Posts: 62

Rep: Reputation: 8
Quote:
Originally Posted by linuxakias View Post
Hello again !

Thank you for your time !

The dump

OPTIONS sip:XX.40.41.144 SIP/2.0

Via: SIP/2.0/UDP 217.23.94.3:5060;branch=z9hG4bK78b779b6;rport

Max-Forwards: 70

From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a

To: <sip:xxx.40.41.144>

Contact: <sip:asterisk@217.23.94.3:5060>

Call-ID: 74fac70101d4339d2bdf519d65a575a0@217.23.94.3:5060

CSeq: 102 OPTIONS

User-Agent: zte

Date: Mon, 10 Dec 2012 13:16:39 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0
From this i can only read the IP's:
217.23.94.3
188.40.41.144

One of these should be yours then,
so you are either from Germany or Russia.

But all headers here have a content length mentioning of 0. So no real data seems to be send.

The communication at least seems to go:
Quote:
From: "asterisk" <sip:asterisk@217.23.94.3>;tag=as0d456b3a
To: <sip:188.40.41.144>
so from Russia (user asterisk? do you have anything like this?) to Germany (Hetzner Online AG/188.40.41.144)
 
Old 12-10-2012, 09:00 AM   #11
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
my server is in Germany, i dont have any user from Russia. Maybe is someone trying to hack an asterisk server? How can i get rid of those requests?
 
Old 12-10-2012, 09:04 AM   #12
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Hacking attempts are always a possibility. In general it's good policy to drop all traffic from a host connected to internet and only allow traffic coming in as necessary.

Code:
iptables -P INPUT DROP
iptables -A INPUT -p udp --dport 5060 -s hostineedtoallowin -j ACCEPT
 
1 members found this post helpful.
Old 12-10-2012, 09:06 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Bit late but another way would have been to execute commands inside each OpenVZ container. For example netstat:
Code:
vzlist -H -octid | while read CTID; do echo $CTID
 vzctl exec $CTID "netstat -antupe|grep :5060"; done
though note it only makes sense if these networked processes are (still) running, or search for processes named "asterisk":
Code:
vzlist -H -octid | while read CTID; do echo $CTID
 vzctl exec $CTID "pgrep -lf asterisk"; done
plus you can use 'vzlist' to enumerate running hosts by any specs you want:
Code:
vzlist -oname,hostname,ip,ostemplate,description
*While you may have no problem with (or contractual stipulations against) any of your clients running them, finding unauthorized SIP / VoIP applications / connections is cause for concern. VoIP billing fraud is not uncommon, basically the "modern" version of the old dial-up trick. While firewall rules may mitigate the situation I'd inspect the container making the calls closely.
 
Old 12-10-2012, 09:21 AM   #14
linuxakias
LQ Newbie
 
Registered: Dec 2012
Posts: 21

Original Poster
Rep: Reputation: Disabled
wow!

Quote:
Originally Posted by unSpawn View Post
Bit late but another way would have been to execute commands inside each OpenVZ container. For example netstat:
Code:
vzlist -H -octid | while read CTID; do echo $CTID
 vzctl exec $CTID "netstat -antupe|grep :5060"; done
though note it only makes sense if these networked processes are (still) running, or search for processes named "asterisk":
Code:
vzlist -H -octid | while read CTID; do echo $CTID
 vzctl exec $CTID "pgrep -lf asterisk"; done
plus you can use 'vzlist' to enumerate running hosts by any specs you want:
Code:
vzlist -oname,hostname,ip,ostemplate,description
*While you may have no problem with (or contractual stipulations against) any of your clients running them, finding unauthorized SIP / VoIP applications / connections is cause for concern. VoIP billing fraud is not uncommon, basically the "modern" version of the old dial-up trick. While firewall rules may mitigate the situation I'd inspect the container making the calls closely.

With those command i found the hacked container right away! Many thanks!!!
 
Old 12-10-2012, 09:43 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by linuxakias View Post
With those command i found the hacked container right away! Many thanks!!!
Easy, easy... I would very much like to know what's going on inside that host. Could you post some information?
Like what's the Linux distribution it's running and minimal tool output:
Code:
echo -en '#!/bin/bash --\nps axfwwwe -opid,ppid,gid,uid,cmd 2>&1\nlsof -Pwln 2>&1\nnetstat -anTpe 2>&1\nwho -a 2>&1\n' > /tmp/script.sh
chmod 0755 /tmp/script.sh
# replace "[CTID]" with the actual container Id:
vzctl runscript [CTID] /tmp/script.sh 2>&1 | tee /tmp/output.txt
[EDIT]Oh, and please don't kill or delete anything in the container until it's been looked at.[/EDIT]

Last edited by unSpawn; 12-10-2012 at 09:59 AM. Reason: //More *is* more
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 10 07-13-2016 12:53 PM
unable to telnet to port 5060 hamzar.pm Linux - Networking 5 07-24-2012 04:42 AM
strange stunnel connections lucmove Linux - Security 4 07-13-2010 05:41 PM
Strange HTTPS connections to localhost6.localdomain in netstat roarrr Linux - Networking 6 11-09-2009 06:03 AM
Help with unwanted connections from port 80 LuggerHouse Linux - Security 2 03-06-2008 11:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration