LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2007, 03:07 PM   #1
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Rep: Reputation: 0
Question Mysterious downloading from time to time


Hi folks,

I've recently had a recurrence of a problem I've noticed a few times - for no apparent reason the modem on my firewall box will be receiving packets (and acknowledging them) when I can find no reason for the behavior.

Most recently I went to see the latest Harry Potter movie after initiating a download of gcc 4.2.0, which should have taken about 2 hours. When I returned 2.5 hours later the modem was downloading data and I thought "That's not right!", so I checked my notebook and found that the download had indeed completed, yet the modem was still working hard. I turned the modem off, fearing a crack attack.

As I mentioned, I've noticed this sort of thing before.

What's happening?

I'm using firehol on my Dapper Drake Kubuntu (2.6.15-28-386 kernel) tower box with the modem, with firehol fully stealthed to provide some protection, with an ethernet cable to my notebook running Edgy Eft Kubuntu (2.6.22-custom kernel).

Any assistance would be appreciated.


Regards, Non.
 
Old 07-12-2007, 03:31 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hello and welcome to LQ, hope you like it here.

the modem on my firewall box will be receiving packets (and acknowledging them)
Please don't talk *about* things, show the logs instead.

BTW, did you audit the box in any way? System and application logs? Login entries? Tiger? Chkrootkit? Aide? Rootkit Hunter?
 
Old 07-12-2007, 03:35 PM   #3
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
do the fw logs show anything out of the ordinary? are you sure nothing else is running, old torrents, etc.? any other apps on the fw box like ftp, telnet, or anything like that?

iptraf might also give some information. run it on all interfaces when you notice the activity and check the source of the packets. then you can start tracking down anything that looks suspicious.
 
Old 07-12-2007, 05:35 PM   #4
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Exclamation Mysterious downloading from time to time - follow-up

Quote:
Originally Posted by unSpawn
Hello and welcome to LQ, hope you like it here.

the modem on my firewall box will be receiving packets (and acknowledging them)
Please don't talk *about* things, show the logs instead.

BTW, did you audit the box in any way? System and application logs? Login entries? Tiger? Chkrootkit? Aide? Rootkit Hunter?
Thanks for the non-automated welcome, unSpawn.

I've just started going through the logs, spurred by pangs of guilt you've inspired. I did run both chkrootkit and rkhunter on both machines that were running at the time, and they found little to complain about. (ssh root logins enabled on both, plus hidden directories, harmless, I think, in /dev) I also checked my firewall at https://www.grc.com/x/ne.dll?bh0bkyd2 (link found over at Linux Forums in the "A short guide to security" sticky post in the security forum. The firewall came up clean, but that was after a reboot, so I don't know if it was working right when I pulled the plug.

Now for the logfiles:
(Lines starting with #Non are my comments)

For the relevant time period I see in user.log:

Jul 12 12:44:18 localhost shutdown[6872]: shutting down for system halt
Jul 12 12:44:23 localhost cupsd: Unable to open log file "/var/log/cups/error_log" - Permission denied
Jul 12 13:29:33 localhost hpiod: 0.9.7 accepting connections at 56232...
#Non This seems to mean that I pulled the plug (politely) at 12:44:18 and
#Non powered up again about 3/4 hour later.

Starting from 9:52:39 local time yesterday, syslog reads: (you asked for it)

Jul 12 09:52:39 localhost kernel: [37938.186736] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.103.153 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=36385 PROTO=UDP SPT=34735 DPT=1028 LEN=492
Jul 12 09:52:39 localhost dnsmasq[4821]: query[AAAA] gcc.gnu.org from 192.168.0.100
Jul 12 09:52:39 localhost dnsmasq[4821]: forwarded gcc.gnu.org to 203.194.27.57

#Non Here's me looking for the compiler

Jul 12 09:52:40 localhost dnsmasq[4821]: reply gcc.gnu.org is <NODATA>-IPv6
Jul 12 09:52:40 localhost dnsmasq[4821]: query[AAAA] gcc.gnu.org.localnet from 192.168.0.100
Jul 12 09:52:40 localhost dnsmasq[4821]: config gcc.gnu.org.localnet is <NXDOMAIN>-IPv6
Jul 12 09:52:40 localhost dnsmasq[4821]: query[A] gcc.gnu.org from 192.168.0.100
Jul 12 09:52:40 localhost dnsmasq[4821]: forwarded gcc.gnu.org to 203.194.27.57
Jul 12 09:52:40 localhost dnsmasq[4821]: reply gcc.gnu.org is 209.132.176.174
Jul 12 09:52:43 localhost dnsmasq[4821]: query[AAAA] www.w3.org from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: forwarded www.w3.org to 203.194.27.57
Jul 12 09:52:43 localhost dnsmasq[4821]: reply www.w3.org is <NODATA>-IPv6
Jul 12 09:52:43 localhost dnsmasq[4821]: query[AAAA] www.w3.org.localnet from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: config www.w3.org.localnet is <NXDOMAIN>-IPv6
Jul 12 09:52:43 localhost dnsmasq[4821]: query[A] www.w3.org from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: forwarded www.w3.org to 203.194.27.57
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.47
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.52
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.53
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.54
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 193.51.208.69
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.31
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.45
Jul 12 09:52:44 localhost dnsmasq[4821]: reply www.w3.org is 128.30.52.46
Jul 12 09:53:32 localhost dnsmasq[4821]: query[AAAA] ftp.dti.ad.jp from 192.168.0.100
Jul 12 09:53:32 localhost dnsmasq[4821]: forwarded ftp.dti.ad.jp to 203.194.27.57

#Non Here's me selecting a mirror in Japan.

Jul 12 09:53:33 localhost dnsmasq[4821]: reply ftp.dti.ad.jp is 2001:2e8:22:12::2
Jul 12 09:53:33 localhost dnsmasq[4821]: query[A] ftp.dti.ad.jp from 192.168.0.100
Jul 12 09:53:33 localhost dnsmasq[4821]: forwarded ftp.dti.ad.jp to 203.194.27.57
Jul 12 09:53:33 localhost dnsmasq[4821]: reply ftp.dti.ad.jp is 202.216.228.228
Jul 12 09:53:36 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 09:53:36 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 09:54:32 localhost kernel: [38051.441413] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=72.5.124.95 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51351 DF PROTO=TCP SPT=43701 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
Jul 12 09:54:53 localhost kernel: [38072.337619] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=41017 DPT=1026 LEN=466
Jul 12 09:55:06 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 09:55:06 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:11 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 09:55:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.56.150
Jul 12 09:55:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 09:55:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 09:55:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 09:55:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 09:55:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:14 localhost dnsmasq[4821]: query[AAAA] www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:14 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:16 localhost kernel: [38094.819748] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45159 PROTO=UDP SPT=5302 DPT=1026 LEN=492
Jul 12 09:55:16 localhost kernel: [38094.911694] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45160 PROTO=UDP SPT=5302 DPT=1027 LEN=492
Jul 12 09:55:16 localhost kernel: [38095.003689] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45161 PROTO=UDP SPT=5302 DPT=1028 LEN=492
Jul 12 09:55:17 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 09:55:17 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 09:55:17 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.56.150
Jul 12 09:55:17 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 09:55:19 localhost dnsmasq[4821]: query[AAAA] www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:19 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.56.150
Jul 12 09:55:19 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:20 localhost dnsmasq[4821]: reply www.sohpodcast.com is <NODATA>-IPv6
Jul 12 09:55:20 localhost dnsmasq[4821]: query[AAAA] www.sohpodcast.com.localnet from 192.168.0.100
Jul 12 09:55:20 localhost dnsmasq[4821]: config www.sohpodcast.com.localnet is <NXDOMAIN>-IPv6
Jul 12 09:55:20 localhost dnsmasq[4821]: query[A] www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:20 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:25 localhost dnsmasq[4821]: query[A] www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:25 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.56.150
Jul 12 09:55:25 localhost dnsmasq[4821]: forwarded www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:26 localhost dnsmasq[4821]: reply www.sohpodcast.com is 68.225.16.140
Jul 12 09:55:47 localhost kernel: [38125.945543] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=72.5.124.95 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51352 DF PROTO=TCP SPT=43701 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
Jul 12 09:57:38 localhost kernel: [38237.052657] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=68.225.16.140 LEN=355 TOS=0x00 PREC=0x00 TTL=63 ID=53458 DF PROTO=TCP SPT=34906 DPT=80 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
Jul 12 09:59:20 localhost kernel: [38339.495763] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=50614 DPT=1026 LEN=466

#Non What are these? Dropped packets, perhaps??
#Non Anyhow, I get a lot of them cluttering up syslog.

Jul 12 10:16:49 localhost kernel: [39387.586518] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=49857 DPT=1027 LEN=466
Jul 12 10:17:01 localhost /USR/SBIN/CRON[6790]: (root) CMD ( run-parts --report /etc/cron.hourly)
Jul 12 10:17:15 localhost kernel: [39414.520192] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.203 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=59025 DPT=1026 LEN=465

...

Jul 12 10:24:41 localhost kernel: [39859.762653] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.199 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=57419 DPT=1026 LEN=465
Jul 12 10:25:04 localhost kernel: [39883.028698] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.96 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34142 DPT=1026 LEN=466
Jul 12 10:25:46 localhost kernel: [39924.717175] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.93 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=47906 DPT=1026 LEN=466
Jul 12 10:25:46 localhost kernel: [39924.801112] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.93 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=47906 DPT=1027 LEN=466

...

Jul 12 10:32:14 localhost kernel: [40313.276291] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.65.2.2 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=35343 PROTO=UDP SPT=4379 DPT=1028 LEN=492
Jul 12 10:34:05 localhost kernel: [40423.507052] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=218.27.148.78 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=56915 DPT=1026 LEN=465
Jul 12 10:34:05 localhost kernel: [40423.590983] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=218.27.148.78 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=56916 DPT=1027 LEN=465
Jul 12 10:34:11 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 10:34:11 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 10:34:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 10:34:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 10:34:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 10:34:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 10:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 10:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91

#Non I don't know what google is doing here - I was watching the movie.

Jul 12 10:34:52 localhost kernel: [40471.042989] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.222.158 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23805 PROTO=UDP SPT=15283 DPT=1028 LEN=492
Jul 12 10:34:52 localhost kernel: [40471.130972] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.222.158 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23803 PROTO=UDP SPT=15283 DPT=1026 LEN=492

...

Jul 12 10:51:13 localhost kernel: [41451.552110] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.33.230 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5227 DF PROTO=TCP SPT=3237 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 10:51:50 localhost dnsmasq[4821]: query[AAAA] newsrss.bbc.co.uk from 192.168.0.100
Jul 12 10:51:50 localhost dnsmasq[4821]: forwarded newsrss.bbc.co.uk to 203.194.27.57
Jul 12 10:51:51 localhost dnsmasq[4821]: reply newsrss.bbc.co.uk is <CNAME>
Jul 12 10:51:51 localhost dnsmasq[4821]: query[A] newsrss.bbc.co.uk from 192.168.0.100
Jul 12 10:51:51 localhost dnsmasq[4821]: forwarded newsrss.bbc.co.uk to 203.194.27.57
Jul 12 10:51:52 localhost dnsmasq[4821]: reply newsrss.bbc.co.uk is <CNAME>
Jul 12 10:51:52 localhost dnsmasq[4821]: reply newsrss.bbc.net.uk is 212.58.240.134

#Non This looks like it's the BBC headlines in the Firefox toolbar.

Jul 12 10:53:37 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 10:53:37 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 10:55:34 localhost kernel: [41712.490139] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.97 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=59877 DPT=1026 LEN=466

...

Jul 12 11:34:06 localhost kernel: [44024.582848] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=487 PROTO=UDP SPT=29526 DPT=1026 LEN=492
Jul 12 11:34:06 localhost kernel: [44024.674783] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=488 PROTO=UDP SPT=29526 DPT=1027 LEN=492
Jul 12 11:34:06 localhost kernel: [44024.762770] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=489 PROTO=UDP SPT=29526 DPT=1028 LEN=492
Jul 12 11:34:12 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 11:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 11:34:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 11:34:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 11:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 11:35:16 localhost kernel: [44094.300951] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5797 PROTO=UDP SPT=16091 DPT=1026 LEN=492
Jul 12 11:35:16 localhost kernel: [44094.388894] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5798 PROTO=UDP SPT=16091 DPT=1027 LEN=492
Jul 12 11:35:16 localhost kernel: [44094.480877] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5799 PROTO=UDP SPT=16091 DPT=1028 LEN=492

...

Jul 12 12:01:04 localhost kernel: [45642.174156] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.94 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=39952 DPT=1026 LEN=465
Jul 12 12:01:04 localhost kernel: [45642.262147] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.94 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=39952 DPT=1027 LEN=465
Jul 12 12:04:12 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 12:04:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 12:04:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 12:04:13 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 12:04:13 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 12:04:13 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 12:04:13 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 12:04:13 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 12:05:02 localhost kernel: [45880.306100] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.212 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=60176 DPT=1027 LEN=466
Jul 12 12:05:04 localhost kernel: [45882.501842] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.92 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=35506 DPT=1026 LEN=466
Jul 12 12:06:15 localhost kernel: [45952.671986] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.58.112 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=6609 PROTO=UDP SPT=24769 DPT=1026 LEN=492

#Non The timestamp on the gcc source I was downloading is 12:07, so
#Non from here until about 12:44 I don't know what's going on.

Jul 12 12:19:02 localhost kernel: [46719.951099] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=42996 DPT=1027 LEN=466
Jul 12 12:19:07 localhost kernel: [46725.266699] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.238.210 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=59458 DF PROTO=TCP SPT=3197 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:19:10 localhost kernel: [46728.382434] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.238.210 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=59733 DF PROTO=TCP SPT=3197 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:22:14 localhost kernel: [46912.042923] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.203 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44269 DPT=1026 LEN=465
Jul 12 12:22:58 localhost kernel: [46956.463178] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.97 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34391 DPT=1027 LEN=466
Jul 12 12:23:33 localhost kernel: [46991.208234] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.209.110.13 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=45539 DPT=1027 LEN=465
Jul 12 12:23:39 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 12:23:39 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 12:28:37 localhost kernel: [47294.734558] ''IN-dialup':'IN=ppp0 OUT= MAC= SRC=121.131.231.235 DST=203.221.65.97 LEN=395 TOS=0x00 PREC=0x00 TTL=56 ID=56110 PROTO=UDP SPT=30698 DPT=1026 LEN=375

...

Jul 12 12:37:08 localhost kernel: [47805.647383] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.178.156 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23823 PROTO=UDP SPT=30418 DPT=1027 LEN=492
Jul 12 12:37:08 localhost kernel: [47805.737192] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.178.156 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23824 PROTO=UDP SPT=30418 DPT=1028 LEN=492
Jul 12 12:38:15 localhost kernel: [47872.617750] ''IN-dialup':'IN=ppp0 OUT= MAC= SRC=125.7.214.164 DST=203.221.65.97 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=46984 DPT=5900 WINDOW=55808 RES=0x00 SYN URGP=0
Jul 12 12:38:25 localhost kernel: [47882.348960] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64838 PROTO=UDP SPT=13539 DPT=1027 LEN=492
Jul 12 12:38:25 localhost kernel: [47882.436894] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64837 PROTO=UDP SPT=13539 DPT=1026 LEN=492
Jul 12 12:38:25 localhost kernel: [47882.524891] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64839 PROTO=UDP SPT=13539 DPT=1028 LEN=492
Jul 12 12:39:12 localhost kernel: [47929.508974] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.209.110.13 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=51555 DPT=1026 LEN=465

...

Jul 12 12:42:53 localhost kernel: [48150.974280] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8228 PROTO=UDP SPT=29384 DPT=1028 LEN=492
Jul 12 12:42:53 localhost kernel: [48151.062208] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8226 PROTO=UDP SPT=29384 DPT=1026 LEN=492
Jul 12 12:42:53 localhost kernel: [48151.154199] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8227 PROTO=UDP SPT=29384 DPT=1027 LEN=492
Jul 12 12:43:02 localhost kernel: [48159.633539] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.86.10 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=47821 DF PROTO=TCP SPT=22909 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:43:04 localhost kernel: [48162.169282] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.86.10 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=48273 DF PROTO=TCP SPT=22909 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:43:42 localhost pppd[6341]: Hangup (SIGHUP)

#Non I flicked the power switch on the modem here

Jul 12 12:43:42 localhost pppd[6341]: Modem hangup
Jul 12 12:43:42 localhost pppd[6341]: Connect time 736.1 minutes.
Jul 12 12:43:42 localhost pppd[6341]: Sent 6820768 bytes, received 99357069 bytes.
Jul 12 12:43:42 localhost pppd[6341]: Script /etc/ppp/ip-down started (pid 6800)
Jul 12 12:43:42 localhost pppd[6341]: Connection terminated.
Jul 12 12:43:42 localhost pppd[6341]: Script /etc/ppp/ip-down finished (pid 6800), status = 0x0
Jul 12 12:44:16 localhost kdm_greet[5964]: Internal error: memory corruption detected
#Non I don't know what that was, or whether it's typical for my system.
Jul 12 12:44:18 localhost shutdown[6872]: shutting down for system halt
Jul 12 12:44:18 localhost init: Switching to runlevel: 0
Jul 12 12:44:23 localhost cupsd: Unable to open log file


I'm only guessing that the most numerous type of messages are from
packets dropped packets. Can someone confirm/refute that?

Any other assistance with deciphering the logs would be greatly appreciated.

I can post data from other logs too, if it will help - just ask.

Regards, Non.
 
Old 07-12-2007, 05:48 PM   #5
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by slackhack
do the fw logs show anything out of the ordinary? are you sure nothing else is running, old torrents, etc.? any other apps on the fw box like ftp, telnet, or anything like that?

iptraf might also give some information. run it on all interfaces when you notice the activity and check the source of the packets. then you can start tracking down anything that looks suspicious.

Thanks for the reply, slackhack.
Nice handle, BTW. I guess you're a slackware admin, no?

See above for the abbreviated syslog. I'm not an expert at decoding the logfiles and I confess that I rarely look at them. (That should change.)

As for other apps, I might have had an idle ssh session between the two machines, but it was doing nothing. The Firefox browser seems to periodically download stuff from bbc.co.uk for the "Latest BBC Headlines" that I seldom read.

If you could cast an expert eye over my previous message and give me your thoughts, I'd appreciate it.


Regards, Non.
 
Old 07-12-2007, 06:10 PM   #6
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Question Could the data have been traced to a process or file?

Slackhack mentioned using iptraf to detect the unwanted traffic, but at the time I was more concerned about cutting it off rather than finding its source.

If I had been running something like wireshark, though, and could detect the traffic as it came in and through my network, would there be any way that I could check my machines to find where the data was going?

I mean, is there a way of localising network traffic to a particular process, or a way to find out if it is going straight into an open file on the system?


Regards, Non.
 
Old 07-12-2007, 06:22 PM   #7
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
Quote:
Originally Posted by Nontagonist
Slackhack mentioned using iptraf to detect the unwanted traffic, but at the time I was more concerned about cutting it off rather than finding its source.

If I had been running something like wireshark, though, and could detect the traffic as it came in and through my network, would there be any way that I could check my machines to find where the data was going?

I mean, is there a way of localising network traffic to a particular process, or a way to find out if it is going straight into an open file on the system?


Regards, Non.
You could log on as root and run netstat -nap. That shows quite a bit of information about the current network traffic and who is connected to the network. It includes the PID and the name of the program, such as firefox. Here is a sample from my machine. I copied the entire output to show you how extensive the output is.
Code:
netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      1766/hpiod
tcp        0      0 127.0.0.1:38979             0.0.0.0:*                   LISTEN      2315/python
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      3275/portmap
tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      7053/X
tcp        0      0 0.0.0.0:631                 0.0.0.0:*                   LISTEN      3472/cupsd
tcp        0      0 192.168.27.219:52762        64.233.161.166:80           ESTABLISHED 19534/mozilla-firef
tcp        0      0 192.168.27.219:52764        64.233.161.166:80           ESTABLISHED 19534/mozilla-firef
tcp        0      0 192.168.27.219:60705        64.233.179.99:80            ESTABLISHED 19534/mozilla-firef
tcp        0      0 :::6000                     :::*                        LISTEN      7053/X
tcp        0      0 :::631                      :::*                        LISTEN      3472/cupsd
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               25836/dhclient
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               3275/portmap
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               3472/cupsd
udp        0      0 192.168.27.219:123          0.0.0.0:*                               3798/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                               3798/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               3798/ntpd
udp        0      0 :::123                      :::*                                    3798/ntpd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     133919 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  2      [ ACC ]     STREAM     LISTENING     134025 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  2      [ ACC ]     STREAM     LISTENING     133908 12263/kdeinit Runni /home/turtle/tmp/ksocket-turtle/kdeinit__0
unix  2      [ ACC ]     STREAM     LISTENING     133910 12263/kdeinit Runni /home/turtle/tmp/ksocket-turtle/kdeinit-:0
unix  2      [ ACC ]     STREAM     LISTENING     133832 12198/dbus-daemon   @/tmp/dbus-BQpkcJGJsB
unix  2      [ ACC ]     STREAM     LISTENING     134183 12292/artsd         /tmp/ksocket-turtle/sr71-3004-4694bd78
unix  2      [ ACC ]     STREAM     LISTENING     136640 12900/gconfd-2      /home/t3cs/tmp/orbit-t3cs/linc-3264-0-1f9a63184a6aa
unix  2      [ ACC ]     STREAM     LISTENING     143670 13816/mozilla-firef /home/t3cs/tmp/orbit-t3cs/linc-35f8-0-13f0013d6a1fe
unix  2      [ ACC ]     STREAM     LISTENING     6263   2272/acpid          /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7954   3401/xfs            /tmp/.font-unix/fs-1
unix  2      [ ACC ]     STREAM     LISTENING     136773 12927/gnome-vfs-dae /home/t3cs/tmp/orbit-t3cs/linc-327f-0-7e2a80d76ec18
unix  2      [ ACC ]     STREAM     LISTENING     133969 12272/gam_server    @/tmp/fam-turtle-
unix  2      [ ]         DGRAM                    852    411/udevd           @/org/kernel/udev/udevd
unix  16     [ ]         DGRAM                    5235   1753/syslogd        /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     136533 12872/dbus-daemon   @/tmp/dbus-rZCWo449R6
unix  2      [ ACC ]     STREAM     LISTENING     13693  6007/artsd          /home/melvin/tmp/ksocket-melvin/sr71-1777-468efec9
unix  2      [ ACC ]     STREAM     LISTENING     134313 12320/gconfd-2      /home/turtle/tmp/orbit-turtle/linc-3020-0-6ffc27da6640c
unix  2      [ ACC ]     STREAM     LISTENING     133943 12268/klauncher [kd /home/turtle/tmp/ksocket-turtle/klauncherDpQSgb.slave-socket
unix  2      [ ACC ]     STREAM     LISTENING     135290 12479/gnome-vfs-dae /home/turtle/tmp/orbit-turtle/linc-30bf-0-4e3936f0c654
unix  2      [ ACC ]     STREAM     LISTENING     163565 19534/mozilla-firef /home/turtle/tmp/orbit-turtle/linc-4c4e-0-7ba691ee66b40
unix  2      [ ACC ]     STREAM     LISTENING     8264   3512/kdm            /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]     STREAM     LISTENING     5380   1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     123553 3512/kdm            /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ACC ]     STREAM     LISTENING     123547 7053/X              /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     8136   3472/cupsd          /var/run/cups/cups.sock
unix  2      [ ]         DGRAM                    163883 19584/su
unix  3      [ ]         STREAM     CONNECTED     163770 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     163769 19534/mozilla-firef
unix  3      [ ]         STREAM     CONNECTED     163568 19534/mozilla-firef /home/turtle/tmp/orbit-turtle/linc-4c4e-0-7ba691ee66b40
unix  3      [ ]         STREAM     CONNECTED     163567 12320/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     163564 12320/gconfd-2      /home/turtle/tmp/orbit-turtle/linc-3020-0-6ffc27da6640c
unix  3      [ ]         STREAM     CONNECTED     163563 19534/mozilla-firef
unix  3      [ ]         STREAM     CONNECTED     163550 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     163549 19534/mozilla-firef
unix  3      [ ]         STREAM     CONNECTED     143899 12872/dbus-daemon   @/tmp/dbus-rZCWo449R6
unix  3      [ ]         STREAM     CONNECTED     143898 13881/gimp
unix  3      [ ]         STREAM     CONNECTED     143891 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     143890 13881/gimp
unix  3      [ ]         STREAM     CONNECTED     143673 13816/mozilla-firef /home/t3cs/tmp/orbit-t3cs/linc-35f8-0-13f0013d6a1fe
unix  3      [ ]         STREAM     CONNECTED     143672 12900/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     143669 12900/gconfd-2      /home/t3cs/tmp/orbit-t3cs/linc-3264-0-1f9a63184a6aa
unix  3      [ ]         STREAM     CONNECTED     143668 13816/mozilla-firef
unix  3      [ ]         STREAM     CONNECTED     143657 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     143656 13816/mozilla-firef
unix  3      [ ]         STREAM     CONNECTED     137461 12292/artsd         /tmp/ksocket-turtle/sr71-3004-4694bd78
unix  3      [ ]         STREAM     CONNECTED     137460 13115/knotify [kdei
unix  3      [ ]         STREAM     CONNECTED     137435 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     137434 13115/knotify [kdei
unix  3      [ ]         STREAM     CONNECTED     137433 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     137432 13115/knotify [kdei
unix  3      [ ]         STREAM     CONNECTED     137426 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     137425 13115/knotify [kdei
unix  8      [ ]         STREAM     CONNECTED     136930 12872/dbus-daemon   @/tmp/dbus-rZCWo449R6
unix  3      [ ]         STREAM     CONNECTED     136929 13048/gimp
unix  2      [ ]         STREAM     CONNECTED     136921 13048/gimp
unix  3      [ ]         STREAM     CONNECTED     136778 1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     136777 12927/gnome-vfs-dae
unix  3      [ ]         STREAM     CONNECTED     136776 12927/gnome-vfs-dae /home/t3cs/tmp/orbit-t3cs/linc-327f-0-7e2a80d76ec18
unix  3      [ ]         STREAM     CONNECTED     136775 12900/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     136772 12900/gconfd-2      /home/t3cs/tmp/orbit-t3cs/linc-3264-0-1f9a63184a6aa
unix  3      [ ]         STREAM     CONNECTED     136771 12927/gnome-vfs-dae
unix  3      [ ]         STREAM     CONNECTED     136768 12872/dbus-daemon   @/tmp/dbus-rZCWo449R6
unix  3      [ ]         STREAM     CONNECTED     136766 12927/gnome-vfs-dae
unix  2      [ ]         DGRAM                    136636 12900/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     136535 12872/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     136534 12872/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     136523 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     136522 12873/dbus-launch
unix  2      [ ]         DGRAM                    135829 12665/su
unix  2      [ ]         DGRAM                    135329 12485/su
unix  3      [ ]         STREAM     CONNECTED     135295 1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     135294 12479/gnome-vfs-dae
unix  3      [ ]         STREAM     CONNECTED     135293 12479/gnome-vfs-dae /home/turtle/tmp/orbit-turtle/linc-30bf-0-4e3936f0c654
unix  3      [ ]         STREAM     CONNECTED     135292 12320/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     135289 12320/gconfd-2      /home/turtle/tmp/orbit-turtle/linc-3020-0-6ffc27da6640c
unix  3      [ ]         STREAM     CONNECTED     135288 12479/gnome-vfs-dae
unix  3      [ ]         STREAM     CONNECTED     135285 12198/dbus-daemon   @/tmp/dbus-BQpkcJGJsB
unix  3      [ ]         STREAM     CONNECTED     135284 12479/gnome-vfs-dae
unix  3      [ ]         STREAM     CONNECTED     134707 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134706 12361/konsole [kdei
unix  3      [ ]         STREAM     CONNECTED     134702 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134701 12361/konsole [kdei
unix  3      [ ]         STREAM     CONNECTED     134700 7053/X              /tmp/.X11-unix/X0
unix  4      [ ]         STREAM     CONNECTED     134699 12361/konsole [kdei
unix  3      [ ]         STREAM     CONNECTED     134409 12268/klauncher [kd /home/turtle/tmp/ksocket-turtle/klauncherDpQSgb.slave-socket
unix  3      [ ]         STREAM     CONNECTED     134408 12286/kdesktopvFhLm
unix  2      [ ]         DGRAM                    134309 12320/gconfd-2
unix  3      [ ]         STREAM     CONNECTED     134265 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134264 12303/klipper [kdei
unix  3      [ ]         STREAM     CONNECTED     134263 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134262 12303/klipper [kdei
unix  3      [ ]         STREAM     CONNECTED     134260 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134259 12303/klipper [kdei
unix  3      [ ]         STREAM     CONNECTED     134243 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134242 12299/xsettings-kde
unix  3      [ ]         STREAM     CONNECTED     134226 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134225 12297/kmix [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134224 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134223 12297/kmix [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134221 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134220 12297/kmix [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134195 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134194 12294/kaccess [kdei
unix  3      [ ]         STREAM     CONNECTED     134191 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134190 12294/kaccess [kdei
unix  3      [ ]         STREAM     CONNECTED     134188 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134187 12294/kaccess [kdei
unix  3      [ ]         STREAM     CONNECTED     134173 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134172 12268/klauncher [kd
unix  3      [ ]         STREAM     CONNECTED     134153 12272/gam_server    @/tmp/fam-turtle-
unix  3      [ ]         STREAM     CONNECTED     134152 12284/kicker [kdein
unix  3      [ ]         STREAM     CONNECTED     134149 1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     134148 12270/kded [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134082 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134081 12284/kicker [kdein
unix  3      [ ]         STREAM     CONNECTED     134080 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134079 12284/kicker [kdein
unix  3      [ ]         STREAM     CONNECTED     134075 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134074 12284/kicker [kdein
unix  3      [ ]         STREAM     CONNECTED     134069 12272/gam_server    @/tmp/fam-turtle-
unix  3      [ ]         STREAM     CONNECTED     134068 12282/kdesktop [kde
unix  3      [ ]         STREAM     CONNECTED     134056 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134055 12282/kdesktop [kde
unix  3      [ ]         STREAM     CONNECTED     134054 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134053 12282/kdesktop [kde
unix  3      [ ]         STREAM     CONNECTED     134049 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134048 12282/kdesktop [kde
unix  3      [ ]         STREAM     CONNECTED     134041 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134040 12280/kwin [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134039 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134038 12280/kwin [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134034 12279/ksmserver [kd /tmp/.ICE-unix/12279
unix  3      [ ]         STREAM     CONNECTED     134033 12280/kwin [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134032 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134031 12280/kwin [kdeinit
unix  3      [ ]         STREAM     CONNECTED     134024 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     134023 12279/ksmserver [kd
unix  3      [ ]         STREAM     CONNECTED     134018 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     134017 12279/ksmserver [kd
unix  3      [ ]         STREAM     CONNECTED     134007 12279/ksmserver [kd /home/turtle/tmp/ksocket-turtle/kdeinit__0
unix  3      [ ]         STREAM     CONNECTED     134006 12277/kwrapper
unix  3      [ ]         STREAM     CONNECTED     133977 12272/gam_server    @/tmp/fam-turtle-
unix  3      [ ]         STREAM     CONNECTED     133971 12270/kded [kdeinit
unix  3      [ ]         STREAM     CONNECTED     133960 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     133959 12270/kded [kdeinit
unix  3      [ ]         STREAM     CONNECTED     133955 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     133954 12270/kded [kdeinit
unix  3      [ ]         STREAM     CONNECTED     133946 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     133945 12263/kdeinit Runni
unix  3      [ ]         STREAM     CONNECTED     133937 12266/dcopserver [k /tmp/.ICE-unix/dcop12266-1184152946
unix  3      [ ]         STREAM     CONNECTED     133936 12268/klauncher [kd
unix  3      [ ]         STREAM     CONNECTED     133932 12268/klauncher [kd
unix  3      [ ]         STREAM     CONNECTED     133931 12263/kdeinit Runni
unix  3      [ ]         STREAM     CONNECTED     133861 1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     133860 12230/s2u
unix  3      [ ]         STREAM     CONNECTED     133859 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     133858 12230/s2u
unix  3      [ ]         STREAM     CONNECTED     133836 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     133835 12197/dbus-launch
unix  3      [ ]         STREAM     CONNECTED     133834 12198/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     133833 12198/dbus-daemon
unix  2      [ ]         DGRAM                    133768 7054/-:0
unix  3      [ ]         STREAM     CONNECTED     123579 3401/xfs            /tmp/.font-unix/fs-1
unix  3      [ ]         STREAM     CONNECTED     123578 7053/X
unix  3      [ ]         STREAM     CONNECTED     123561 2272/acpid          /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     123560 7053/X
unix  7      [ ]         STREAM     CONNECTED     123583 7053/X              /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     123559 7054/-:0
unix  2      [ ]         STREAM     CONNECTED     121847 2272/acpid          /var/run/acpid.socket
unix  2      [ ]         DGRAM                    72866  25836/dhclient
unix  2      [ ]         DGRAM                    72801  25700/ifplugd
unix  2      [ ]         STREAM     CONNECTED     17894  2315/python
unix  2      [ ]         STREAM     CONNECTED     17618  2315/python
unix  2      [ ]         DGRAM                    13700  6007/artsd
unix  2      [ ]         STREAM     CONNECTED     13683  6007/artsd          /home/melvin/tmp/ksocket-melvin/kdeinit__0
unix  2      [ ]         STREAM     CONNECTED     12104  2272/acpid          /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     10168  1861/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     10167  5065/mandi
unix  2      [ ]         DGRAM                    8695   3798/ntpd
unix  2      [ ]         STREAM     CONNECTED     8301   2272/acpid          /var/run/acpid.socket
unix  2      [ ]         DGRAM                    7662   3300/xinetd
unix  2      [ ]         DGRAM                    7579   3275/portmap
unix  2      [ ]         DGRAM                    5494   1915/crond
unix  3      [ ]         STREAM     CONNECTED     5461   1861/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     5460   1861/dbus-daemon
unix  2      [ ]         DGRAM                    5297   1808/klogd
 
Old 07-12-2007, 06:23 PM   #8
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
wireshark would be a good option during the fact. after the fact, i think you'll have to rely on logs, snort, tripwire, etc. to diagnose whether you've actually been compromised. unSpawn is the expert though, so follow his recommendations to a T. it's probably best to go step by step as he lays it out to save yourself the time and confusion of jumping around from thing to thing.

Last edited by slackhack; 07-12-2007 at 06:30 PM.
 
Old 07-12-2007, 07:20 PM   #9
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Original Poster
Rep: Reputation: 0
stress_junkie: I just had a look at the man page for netstat, and it looks really useful - thanks - next time I have a similar scenario I'll use it. Looks like it even tells you what files the data is being written to.

slackhack: yeah, I really jumped the gun by switching off the modem. I should've fired up wireshark and captured some of the suspicious traffic. Now that I know a bit about netstat I'll be be better prepared for next time.

Looking forward to hearing back from unSpawn when (s)he's back around here.

Anyone: Most of those kernel messages are dropped packets, right?



Regards, Non.

Last edited by Nontagonist; 07-12-2007 at 07:26 PM.
 
Old 07-13-2007, 02:51 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
In short looking at the TCP and UDP entries doesn't reveal much that could pinpoint any malicious activity in terms of well known ports or IP ranges. As for the contents, yes, you would need tcpdump or Wireshark (or run an IDS like Snort or Prelude).

So. What tool did you use to D/L gcc with? What's it's commandline / options? Does if maintain a logfile?
 
Old 07-13-2007, 08:26 AM   #11
Nontagonist
LQ Newbie
 
Registered: Jul 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Maybe I'll look into installing Snort.

I used Firefox to download gcc, and I grepped for "irefox" in the logfiles but found nothing.
 
Old 07-13-2007, 01:48 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
I've recently had a recurrence of a problem I've noticed a few times - for no apparent reason the modem on my firewall box will be receiving packets (and acknowledging them) when I can find no reason for the behavior.
Code:
egrep UDP /var/log/messages | cut -d " " -f 10- | awk '{print $9, $10, $11}' | sort
You'll end up with variable SPT's (source ports) and a few (3) DPT's or destination ports (namely: 1026, 1027, 1028). Now you can do a local port lookup
Code:
getent services 1026
or a remote one, for instance at http://www.treachery.net/tools/ports/lookup.cgi. If you think the port is "weird" you can also check with say http://isc.sans.org/port.html?port=1026 if there's a "storm" going on on the 'net. Same for your TCP ports.
If a port is listed as in use by any M$ services, P2P, chat or similar you may be seeing "ghost" traffic. This can occur if you get a different IP address each time you fire up your modem. Looking at the port info alone I cannot find a relation to your download problem.
 
Old 07-13-2007, 02:55 PM   #13
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
all that 1026-1028 stuff is usually just windoze messenger spam, basically harmless to a linux network i think, although annoying. my logs are always filled with it. here's a current shot:

messenger spam, ugh

aren't you glad you use linux?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
System time vs Hardware time and Daylight Savings Time Toadman Linux - General 6 03-17-2007 08:12 AM
System time vs Hardware time and Daylight Savings Time Toadman Linux - Networking 6 03-16-2007 07:14 PM
no signal when starting xorg for the 1st time (but the second time works fine) bungalowbill Linux - Software 0 06-04-2004 09:56 AM
Wasted time downloading Red Hat 9 extrasolar Linux - Distributions 7 02-10-2004 11:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration