LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2008, 08:00 AM   #1
LuggerHouse
Member
 
Registered: May 2004
Location: Montreal,QC,Canada
Distribution: Fedora Core 7
Posts: 210

Rep: Reputation: 30
Help with unwanted connections from port 80


Hello Guys,

I have a server witch give me problems. Since I start using FireStarter to run the firewall I start noticing connections FROM my server on port 80 to other machines on random ports...

So I start googling about that and I learned about Linux viruses that gets into your machine and start spreading to other by uging port 80.

Eventhough I could not confirm an infection because there was no traces I added a firewall rule that should deny connections from my ip to port 80.

This didn't help and there are still a lot of connections from port 80. They stay "connected" but when I sniff there are no activities from thos connections.

This is a screenshot of FireStarter and beside is a result from iptstat that tells you what are the connections on you network adapter:

http://img254.imageshack.us/img254/9...tdiablofo9.jpg


When I do a netstat, I cannot find them.

When I restart the network they don't disconnect.

When I restart apache, they don't disconnect.

Any Idea where to look to get rid of that or at least identify this phenomena ??

The only way I was able to disconnect those was to reboot the box. Any idea on what I could try to disconnect those connections ???

ANy help is welcome.
 
Old 03-05-2008, 08:14 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
well you can use a tool like tcpslice to reset both ends of a connection from the middle, but i'd wonder about the proof of the source and destination status. only if you are privy to the opening tcp handshake will you actually know who is the originator and therefor deemed to be the source of a stateful connection. if you can do a tcpdump and actually capture the incoming connection as it is created would you confirm what you're stating, and i doubt that you would
 
Old 03-06-2008, 11:40 AM   #3
LuggerHouse
Member
 
Registered: May 2004
Location: Montreal,QC,Canada
Distribution: Fedora Core 7
Posts: 210

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
well you can use a tool like tcpslice to reset both ends of a connection from the middle, but i'd wonder about the proof of the source and destination status. only if you are privy to the opening tcp handshake will you actually know who is the originator and therefor deemed to be the source of a stateful connection. if you can do a tcpdump and actually capture the incoming connection as it is created would you confirm what you're stating, and i doubt that you would

Hello Chris,

first thanks for the reply. I will learn about tcpslice and try to break the connection. Afterward I will let a tcpdump run until the first connection occurs again and the I will post the result.

I also have to say that I though about a "bad report" from FireStarter and I was realy wondering where it got this infos..

More news later!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 10 07-13-2016 12:53 PM
multiple connections from the same host port 80 paranoid times Linux - Security 1 02-10-2007 02:51 AM
unwanted network traffic on tcp port 135 debasish_5849 Linux - Security 4 04-20-2006 11:33 PM
changing xx connections on port gekkie_007 Linux - Newbie 1 10-26-2004 01:45 PM
unwanted port scans andy753421 Linux - Networking 1 09-28-2004 06:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration