LinuxQuestions.org - Tracing traffic origins

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Tracing traffic origins (https://www.linuxquestions.org/questions/linux-networking-3/tracing-traffic-origins-320076/)

Tracing traffic origins

I have some outbound traffic that I can't account for (port 81). Firestarter (my firewall interface) reports blocking the packets but doesn't say which program/process is responsible. I'd like to know if there is a way of identifying the source.

I'm starting to get worried I have a trojan....help!
z.

You should be able to identify what program is using port 81 with either lsof -i or netstat -pantu. You also might want to run nmap on your system (both internally and from outside if you can) and make sure that you can indentifiy all of the listening processes. I would also download and run chkrootkit and rkhunter to check for installed rootkits. You could also use a live CD distro like Knoppix to scan your hard drive for rkhunter and chkrootkit.

Thanks Hangdog42, this is just what I was looking for. Tried nmap, rkhunter and chkrootkit, fortunately no surprises. Haven't tried booting from CD yet though - can this really make much difference? The suspicious traffic isn't frequent so I hashed together a script to periodically check if the port has been accessed and if so record the open network files. Of course, this assumes that the connections will be open long enough to record them...

Code:

oldaccesses=0

while (true) do

  accesses=`dmesg |grep Outbound |grep 'SPT=81'|wc -l` 

  if  ( test $oldaccesses != $accesses ) then

      lsof -i >> port81_watcher

  fi

  sleep 60 

done

Booting from a CD can make a difference when using tools like chkrootkit or rkhunter to scan for changes because any intruder hasn't had a chance to tamper with them. Of course it is best if you either have a CD that was burned prior to the intrusion or burn a new one on a separate computer. However, since the CD boots from its own, untainted, kernel, any running exploits that might be picked up by nmap, lsof or netstat, are going to be gone.

If you reach the point where you're pretty sure you haven't been cracked, I'd strongly suggest setting up a file monitoring system. Aide, Tripwire and Samhain are three pretty popular monitors. As long as you keep a copy of their database off the system, you can always go back and scan from a trusted point and see exactly what files have been altered. You also might consider running Snort if you keep this attached to the internet all the time. Snort won't prevent any attacks, but it can help alert you when one happens.