LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-22-2006, 02:42 PM   #1
dansawyer
Member
 
Registered: Mar 2005
Posts: 124

Rep: Reputation: 15
how can this trace be resolved?


Below is a section of a tcpdump trace that occurs regularly. The port changes; another port used is 40049.

t41... is my computer. It is initiating these requests. What service is trying to do this? How can the source be identified?

This is a clean install of FC6, firestarter and selinux are active. chkrootkit and rkhunter both check.

?? Thanks - Dan

11:14:41.390765 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: S 93685175:93685175(0) win 5840 <mss 1460>
11:14:41.453591 arp who-has t41.sawyer.home tell 10.0.0.1
11:14:41.453629 arp reply t41.sawyer.home is-at 00:04:23:5a:97:6b (oui Unknown)
11:14:41.457483 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: S 702079023:702079023(0) ack 93685176 win 5840 <mss 1460>
11:14:41.457614 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: . ack 1 win 5840
11:15:03.573657 IP computer.sawyer.home.ipp > 10.0.0.255.ipp: UDP, length 180
11:15:08.897023 IP 10.0.0.1 > ALL-SYSTEMS.MCAST.NET: igmp query v2
11:15:10.125886 IP 10.0.0.1 > ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET
11:15:11.505497 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 1:72(71) ack 1 win 5840
11:15:11.505635 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: . ack 72 win 5840
11:15:11.506293 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: P 1:7(6) ack 72 win 5840
11:15:11.510178 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: . ack 7 win 5840
11:15:11.510992 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 72:157(85) ack 7 win 5840
11:15:11.511386 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: P 7:19(12) ack 157 win 5840
11:15:11.516361 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 157:177(20) ack 19 win 5840
 
Old 12-22-2006, 02:59 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well the fact that it's all resolved to hostnames is pretty confusing (add -n to not do that next time) but on the face of it it looks like a standrd email client doing it's thing. if you want to match a tcp connection to a process, just run "netstat -tnp" and you'll see which program is going where.
 
Old 12-22-2006, 03:05 PM   #3
zhangmaike
Member
 
Registered: Oct 2004
Distribution: Slackware
Posts: 376

Rep: Reputation: 31
This is no root kit.

You're checking your e-mail.

The destination port is pop3 at your ISP, the source port doesn't matter, and will usually change.
 
Old 12-22-2006, 03:29 PM   #4
hiren_bhatt
Member
 
Registered: Oct 2005
Distribution: FC3,Debian
Posts: 127

Rep: Reputation: 15
Use netstat -np or lsof -i, both will give you what port is used by which program. This will tell which program is using 40049.
 
Old 12-23-2006, 07:59 AM   #5
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Yeah see the POP3 in your output...thats the port your Email client talks on. You must be running Thunderbird or Evolution or something. Do you recall this server when you set up your account?
hsd1.or.comcast.net
If yes then its definitely nothing to worry about. I believe Comcast is a famous ISP in the US and you must be using it for your Internet connection. So you're checking mail from your ISP.

Relax
Cheers
Arvind
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hostname not resolved -> No RSH !! callingearthlings Linux - Networking 0 08-11-2006 12:12 PM
Sound FC2 - Resolved danilodal Fedora 0 06-02-2004 10:41 AM
mysql host could not be resolved Longinus Linux - Software 1 04-03-2004 10:48 PM
how many threads get resolved pfunk LQ Suggestions & Feedback 5 11-20-2003 02:50 PM
Resolved box Neuronet LQ Suggestions & Feedback 3 04-23-2003 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration