Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-22-2006, 02:42 PM
|
#1
|
Member
Registered: Mar 2005
Posts: 124
Rep:
|
how can this trace be resolved?
Below is a section of a tcpdump trace that occurs regularly. The port changes; another port used is 40049.
t41... is my computer. It is initiating these requests. What service is trying to do this? How can the source be identified?
This is a clean install of FC6, firestarter and selinux are active. chkrootkit and rkhunter both check.
?? Thanks - Dan
11:14:41.390765 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: S 93685175:93685175(0) win 5840 <mss 1460>
11:14:41.453591 arp who-has t41.sawyer.home tell 10.0.0.1
11:14:41.453629 arp reply t41.sawyer.home is-at 00:04:23:5a:97:6b (oui Unknown)
11:14:41.457483 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: S 702079023:702079023(0) ack 93685176 win 5840 <mss 1460>
11:14:41.457614 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: . ack 1 win 5840
11:15:03.573657 IP computer.sawyer.home.ipp > 10.0.0.255.ipp: UDP, length 180
11:15:08.897023 IP 10.0.0.1 > ALL-SYSTEMS.MCAST.NET: igmp query v2
11:15:10.125886 IP 10.0.0.1 > ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET
11:15:11.505497 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 1:72(71) ack 1 win 5840
11:15:11.505635 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: . ack 72 win 5840
11:15:11.506293 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: P 1:7(6) ack 72 win 5840
11:15:11.510178 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: . ack 7 win 5840
11:15:11.510992 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 72:157(85) ack 7 win 5840
11:15:11.511386 IP t41.sawyer.home.40049 > c-67-171-168-219.hsd1.or.comcast.net.pop3: P 7:19(12) ack 157 win 5840
11:15:11.516361 IP c-67-171-168-219.hsd1.or.comcast.net.pop3 > t41.sawyer.home.40049: P 157:177(20) ack 19 win 5840
|
|
|
12-22-2006, 02:59 PM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well the fact that it's all resolved to hostnames is pretty confusing (add -n to not do that next time) but on the face of it it looks like a standrd email client doing it's thing. if you want to match a tcp connection to a process, just run "netstat -tnp" and you'll see which program is going where.
|
|
|
12-22-2006, 03:05 PM
|
#3
|
Member
Registered: Oct 2004
Distribution: Slackware
Posts: 376
Rep:
|
This is no root kit.
You're checking your e-mail.
The destination port is pop3 at your ISP, the source port doesn't matter, and will usually change.
|
|
|
12-22-2006, 03:29 PM
|
#4
|
Member
Registered: Oct 2005
Distribution: FC3,Debian
Posts: 127
Rep:
|
Use netstat -np or lsof -i, both will give you what port is used by which program. This will tell which program is using 40049.
|
|
|
12-23-2006, 07:59 AM
|
#5
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Yeah see the POP3 in your output...thats the port your Email client talks on. You must be running Thunderbird or Evolution or something. Do you recall this server when you set up your account?
hsd1.or.comcast.net
If yes then its definitely nothing to worry about. I believe Comcast is a famous ISP in the US and you must be using it for your Internet connection. So you're checking mail from your ISP.
Relax
Cheers
Arvind
|
|
|
All times are GMT -5. The time now is 02:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|